Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Windows client does not complete Provisioning. I am trying to use SCEP and NDES

I'm setting a lab environment with ISE patch 7 (Virtual), Windows server 2008 R2 (Virtual). I had follow instructions to make BYOD and get EAP-TLS certificates.

The first unsolved sittuation I have is with Windows Server. I can't figure out why the "Certificate Web Enrollment Service" and "Certificate Policy Web Enrollment Service" are not available when I enable Active Directory Certificate Service.

Anyway I set up all the rest of configuration on ISE. When I try a test the Guest Portal is displayed, the device is registered, and the Network Setup Assistant is started, but around 3/4 of the process it is aborted with an Error, but nothing explaining wath happened. The "More Information" link does not show anything.

Searching on the Windows Server I found this messages:

The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag

Network Device enrollment service cannot convert encoded portions of the client's http message, or the converter message is larger than 64k. invalid pointer

I suppose the problems should be on the WS but I don't have idea how to fix them.

I will appreciate your assistance. Thanks in advance


Daniel Escalante

Cisco Employee

Which guide did you use to

Which guide did you use to setup your CA/SCEP server? I have used the one from the TrustSec guide and had no issues:

Thank you for rating helpful posts!
New Member

Thank you ... I had read the

Thank you ... I had read the document you indicate and review LabMinutes videos. Labminutes was the first source where I saw the "certificate enrollment web service" and "certificate enrollment policy web service".

After that I had review several sources (videos and books) and I can't find something that indicates why the indicated services are available some times and not in others.

Cisco documentation does not mention these services, but I understand they are required to allow funcionality with non domain devices ...


Cisco Employee

If an option, I would

If an option, I would recommend removing the certificate services and start over. 

Also, are you using standard or enterprise version of the server 2008? Also, is it regular or R2?

Thank you for rating helpful posts!
New Member

Thank you.I'm using

Thank you.

I'm using enterprise server (for 2008 NDES is available with enterprise). I think I have R2.

My conclusion at this time is the hotfixes indicated in documentation were missing or not properly installed.

Tomorrow I would get news with the support from a coworker with a lot of experience in WS2008.

Cisco Employee

Perfect. Keep us posted on

Perfect. Keep us posted on the progress. It would be nice to know the cause and solution of this issue.

Thank you for rating helpful posts!