6. CSE-200 Configurator
SCEP implem entation is specifically targeted at the Network Dev ice Enrolment Service (NDES) which is part of Window s Server
2008 R2 and Windows Server 2012. No other SCE P server implementations are supported.
Image 6-21
About NDE S
The Ne twork Device Enrolment Service is Microsoft’s server implementation of the SC E P protocol. If you want to enable EAP-TLS
using SCE P make sure NDES is enabled, config ured and running on y our Windows Server. For mo re details about s etting up NDE S,
please visit the M icrosoft website
2
. S C EP uses a so called “challenge password” to authenticate the enrollment reque st. For NDE S,
this challenge can be retrieved from yo ur server at: http(s)://[your-server-hostname]/CertSrv/mscep_admin.
When you enter the necessary c redentials into the setup wizard, the Base U nit will automatically retrieve this cha llenge from the
web page and use it in the enrollment req uest, thereby fully automating the process.
Necessary Data to co ntinue:
Domain
The company domain for which you are enrolling, sho uld match with the one defined in your Active
Directory.
SCEP ServerIP/host-
name
This is the I P or hostname of the W indows Server in y our network running the NDES service. S ince
Internet Information Services (IIS) supports both HT TP and HTTPS, also include wh ich of th e two you
want to use. If not provided it will be default set to H TTP.
E.g.: http://myserver or https://10.192.5.1 or server.mycompany.com (will use http)
SCEP User name This is a u ser in your Ac tive Directory w hic
h has the required permission to access the NDES
service and request the challenge pass word. To be sure of this, the user should be part of the CA
Administrators group (in case of a stand-alone CA ) or have enroll permissions on the configured
certificate templates.
SCEP Pa ssword The corresponding password for the identity that you are using to authenticate on the corporate
network. Per Base Unit, eve ry B utton
uses the same identity and password to connect to the
corporate network.
Domain
The c ompany domain for which you ar
e e nrolling should match the one defined in your Active
Directory.
Identity
Identity of the us er account in th
e A ctive Directory which will be used by the ClickShare Buttons to
connect to the corporate network. W hen us ing EAP-TLS make sure that the necessary m apping
exists between the Client Certificate issued b y your CA and this u ser account.
Corporate S SID The S SID of your corporate wireless infrastructure to which the ClickShare Buttons will connec t.
Using manually upload of certificates
Select the radio button next to Provide certificates m anually and click Next.
If your c urrent setup does not support SCEP or you prefer not to use it but you s till want to benefit of the mutual authentication
EAP-TLS offers, it is also possible to m a nually upload the nec ess ary certifica t es.
2. NDES White Paper: http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs-en-us.aspx
R5900023 CSE-200 11/04/2016 43
To Next Page
Loading...
Need help?
General
