Hello,
I’m new to this forum and new in Mikrotik land.
For one of our customers we need to do the following.
The customer’s network is protected by a Cisco ISE Radius instance to control access with Dot1x.
The customer has an MS-NDES for SCEP functionallity so the certificate can automatically renew.
The first time we can connect our MikroTik HexS to the customers’ edge switch with a OTP received from the customer. Then we are authenticated on MAB (Mac-address).
When connected to the network we import CA-cert, we make a template and apply it so we can authenticate to ISE with EAP-TTLS (where the login details are replaced by the trusted certificate)
The certificate has a validity of 5 days. This works all just fine !!!
Now my question !!
Before the end of the cert expiration the SCEP-process kicks in to renew the cert.
And we receive the following error from the NDES server:
Microsoft-Windows-NetworkDeviceEnrollmentService 29 None The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.
It seems that the Mikrotik is still using the OTP while it should use the ‘trusted’ certificate received from the NDES (CA)
When using the ‘scep-renew’ command there is no change.
Is there any way we can manipulate the SCEP-request process? (other then just renew)
Is Mikrotik compatible with working with MS-NDES?
Since we have only a view on our site (meaning the Mikrotik and have no access on the SCEP server for investigating the logs) i’m just checking here if someone already got a Mikrotik ↔ NDES setup working? Or is this not possible?
HW: HexS – firmW: 6.44.6
Kind regards,
T