PKI For Network Engineers (7/?): Network Device Enrollment Service (SCEP)

Greetings fellow Networkers!

In today’s installment, we’re going to configure network Device Enrollment Service, Microsoft’s implementation of SCEP.  Then we’ll enroll a router in-band.

A couple of things to note:

  1. By Default, NDES requires a one time password for enrollment.  This can be disabled via registry key.
  2. SCEP does not work with Elliptic Curve Certificate Authorities.  Enrollment over Secure Transport Supports in-band EC enrollment and is considered the successor to SCEP.
  3. I attached a pcap of all SCEP activity between the router and the CA.  if you look at the Cisco doc, it’ll explain what’s happening so you can interpret the activity in the PCAP.



PCAP of SCEP activity in video:


Cisco TechNote on SCEP (very well written):

Microsoft Guidance on installing and configuring NDES:



Leave a Reply