Cisco ASA–Send the right enrollment request to the CA

A few things I forgot to mention in my previous posts. You need to send a properly formatted request the Microsoft NDES service from the Cisco ASA. This needs to include the domain and correct key size. If you do not specify these enrollment properties correctly the CA will deny the request. Usually the deny will show up in the application log indicating that the key size is wrong.

No real need to go up to a 2048 key size unless your security requirements demand it. Remember – the higher the key size and the number of connections will impact your CPU performance on the ASA.

Here is an example configuration for the ASA enrollment:



Also – be sure the NDES service has the correct security properties on the template. Go ahead and give it “Full Control” and this will check the Auto-enroll security also.

NDES Server Configuration for SCEP (Cisco ASA SCEP Proxy)

A quick little reminder – the Microsoft NDES implementation requires a one-time password to enroll network devices. However this gets rather complicated because the whole BYOD concept means you do not have access to that one-time password. The administrator is not involved to get you on the network right? You get credentials and that’s all..

An adjustment needs to be made to Microsoft NDES implementation to let the Cisco ASA proxy the SCEP enrollment request.

Disabling the “one-time password” on the NDES server is configured in the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\EnforcePassword

EnforcePassword value data is set to “0”. “0” ensures no password is requested by NDES.


Another thing to keep in mind – default NDES implementation will use the “IPSEC (Offline Request)” certificate template. You need to make a decision if this is the template you want to have enrolled for those getting a BYOD certificate.


Let’s say you want some better control of the certificate getting issued. I would recommend creating a custom template. And this is a user device so lets give is the right key usage.

  • Duplicate the “IPsec (Offline Request)” template – I use “User NDES”
  • Modify the extensions so the extension list looks like – You don’t have to assign all of these uses, but this mirrors the most likely use cases.
    • Server Authentication
    • Secure Email
    • Encrypting File System
    • Client Authentication
    • IPSec IKE Intermediate
  • Adjust the certificate validity period and renewal period according to your policy for user certificates.
  • Check the box for publish in Active Directory if you are using EFS
  • Add the NDES service account to the security permissions on the template with “Read and Enroll” checked.
  • Modify the registry key to assign what certificate is assigned during enrollment
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP
    • image

Cisco CUBE and MOH issues

Recent issue and a quick reminder about Cisco CUBE and MOH issues. If you’re having issues dealing with inbound callers not hearing MOH when being placed on hold – then the issue might not be CUBE.

Check this service parameter on CUCM – Duplex Streaming Enabled

“”This parameter determines whether music on hold (MOH) and Annunciator use duplex streaming. Valid values specify True (use duplex [two-way] streaming for MOH and Annunciator) or False (use simplex [one-way] streaming for MOH and Annunciator). Specifying True facilitates interoperability with certain firewalls and NATs. The default value is “false”.””


Simple answer – Cisco 15.x IOS likes duplex audio streams.

Cisco ASA enrollment for SSL using SCEP

Alright – so if you’ve set up Microsoft NDES on server 2012 and followed the basic instructions your CA is now ready to auto enroll based on the “IPSECIntermediateOffline” template.

However, let’s say you want to actually enroll the Cisco ASA using SCEP to provide a server authentication certificate? You’re wanting to do this so your AnyConnect SSL/WebVPN will use an SSL certificate from your internal Active Directory Enterprise CA.

Simple – change the registry value for the MSCEP.dll and restart IIS. Then go back to your Cisco ASA and perform an new identity certificate enrollment. Be sure to populate all of the certificate name fields getting your CN correct.



Set this to GeneralPurposeTemplate = Webserver

You can now enroll your Cisco ASA using SCEP to obtain a Server Authentication certificate. You can check the CA certificate and now you you should see an assigned certificate using the WebServer template.

Be sure to set the GeneralPurposeTemplate back to “IPSECIntermediateOffline” once you’re done unless you need to SCEP enroll more Web Servers.

Windows Server 2012 NDES (SCEP)

So I’ve been working with the Windows Server 2012 NDES/SCEP installation. I’m setting this up to get a lot of Cisco networking equipment certificates from the Windows Active Directory domain. Since this also extends to iPhones and iPads it will be beneficial when I’m setting up client certificate authentication.

So with Windows Server 2012 and installing NDES (SCEP) you definitely need to give it its own service account. I recommend using service accounts vs. the default IIS App Pool permissions.

Once you have this service account added to IIS Users Group go ahead and configure the feature.

An additional thing to note is if you also install the CES/CEP features you’re going to have a problem with your handlers.

This post is more or less helping me remember to check these properties when installing the NDES role. The issue is once you get it all installed you will start getting HTTP 500 errors when browsing http://localhost/certsrv/mscep/

A workaround for this issue is to change the order of the handlers for the Microsoft Simple Certificate Enrollment Protocol (MSCEP) applications in IIS so that the ExtensionlessUrlHandler-ISAPI-4.0_64bit handler comes after the StaticFile handler. To do so, you can follow the steps below:

1) Install and configure NDES (and CEP/CES).
2) Open IIS.
3) Select “Default Web Site”.
4) Click “View Applications” in the action panel on the right.
5) Double click the mscep application.
6) Double click “Handler Mappings”.
7) Click “View Ordered List…” in the action panel.
8) Select ExtensionlessUrlHandler-ISAPI-4.0_64bit and move it down so it is below StaticFile.
9) Repeat steps 6-8 for the mscep_admin application.
10) Restart IIS.


Thanks for the comment that is related to error code 0x800700ea.