In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP NDES
server RA certificate is installed on the ISE node.
Which of the following best describes the reason the certificate is there? (Select the best answer.)
A.
The ISE is a SCEP proxy for a Windows CA.
B.
The ISE is a CA for the Windows AD domain.
C.
The ISE has been compromised, and the CA chain has been altered.
D.
The ISE requires the CA in order to mitigate a Windows Server SCEP bug.
Explanation:
The Cisco Identity Services Engine (ISE) is a Simple Certificate Enrollment Protocol (SCEP) proxy for a
Windows certificate authority (CA) if you notice that a SCEP Network Device Enrollment Service (NDES) server
registration authority (RA) certificate is installed in the ISE’s Certificate Store. Implementing ISE as a SCEP
proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative
overhead from the IT department.
The ISE is not a CA for the Windows Active Directory (AD) domain. When configured with a SCEP CA profile,
the ISE will contain a SCEP NDES server RA certificate in the Certificate Store. RAs verify requests for
certificates and enable the CA to issue them.
The ISE does not require the CA in order to mitigate a Windows Server SCEP bug. However, configuring ISE
as a SCEP proxy to a Microsoft Windows 2008 R2 Server does require the installation of some Microsoft SCEP
implementation hotfixes.
There is nothing in this scenario to indicate that the ISE has been compromised. In addition, there is no reason
to suspect that the CA chain has been altered.Cisco: ISE SCEP Support for BYOD Configuration Example: Configure ISE as a SCEP proxy