Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE BYOD Microsoft SCEP NDES 802.1x The SCEP server returned an invalid response

Unanswered Question
May 8th, 2014
User Badges:


Using ISE 1.2 with WLC and on-boarding with single SSID.  On occasion the error 'The SCEP server returned an invalid response' is received on the IPHONE being on-boarded - this is intermittent.   The issue resolves itself in time.  Any ideas on troubleshooting?  tnks



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nspasov Thu, 05/08/2014 - 14:29
User Badges:
  • Cisco Employee,
  • Cisco Designated VIP,

    2017 AAA, Identity and NAC Security

Interestingly enough I am just setting this up and having the same issue. However, my issue is not going away :( I am using:

ISE:         1.2 Patch 7

WLC:       7.4

PKI:          Two tier (Root CA and Issuing) with a dedicated NDES server. All of them Server 2012 R2

Saurav Lodh Fri, 05/09/2014 - 04:06
User Badges:
  • Gold, 750 points or more

Please enable "auto-enrollment" in your scep

sdoherty Fri, 05/09/2014 - 05:21
User Badges:

With 'auto-enrollment' off this would never work at all - like I said it is intermittent.   We have installed the hotfix from MS and also increased the http size in the url field as per others experience.  I even setup a router with a CSR to get a cert during an outage period and was successful.    I need to be able to troubleshoot the issue during a failure.  We setup the NDES login account as per the guidance - I need to look this up and will post.

The console logs in the IPHONE are very verbose but I am not sure what to look for during a failure - a success also has many error messages.


sdoherty Fri, 05/09/2014 - 06:57
User Badges:

On the NDES server regedit EnforcePassword = 0 and still having issues.  

This has been done as well;

It is possible for ISE to generate URLs that are too long for the IIS web server. In order to avoid this problem, the default IIS configuration can be modified to allow for longer URLs. Enter this command from the NDES server CLI:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/
 security/requestFiltering /requestLimits.maxQueryString:"8192" /commit:apphost


This Discussion

Related Content



Trending Topics - Security & Network