In a SCEP proxy flow, Cisco ISE acts as a Registration Authority (RA) that facilitates certificate enrollment between an endpoint and an external Certificate Authority (CA), such as a Microsoft CA running Network Device Enrollment Services (NDES).
Here is how the technical process works during BYOD onboarding:
CSR Generation: The endpoint (e.g., an iPhone or Windows laptop) generates a Certificate Signing Request (CSR) locally using its own hardware.
Request to ISE: The endpoint sends this CSR to the ISE Policy Services Node (PSN).
Validation and Proxy: ISE validates the requester and then forwards (proxies) the enrollment request to the external CA using the SCEP protocol.
Issuance: The external CA automatically issues the signed certificate and returns it to ISE.
Delivery: ISE delivers the final signed certificate to the endpoint via the provisioning service (such as Over-the-Air for iOS) to be installed in the device's certificate store.
For this to work, you must configure the external CA's SCEP URL in ISE (typically http://CA_IP/certsrv/mscep/) and ensure ISE trusts the CA's public certificate.
