In the Cisco ISE GUI, you click Administration > Certificates > Certificate Store and notice that a SCEP NDES server RA certificate is installed on the ISE node.
Which of the following best describes the reason the certificate is there? (Select the best answer.)
- The ISE is a SCEP proxy for a Windows CA.
- The ISE is a CA for the Windows AD domain.
- The ISE has been compromised, and the CA chain has been altered.
- The ISE requires the CA in order to mitigate a Windows Server SCEP bug.
The Cisco Identity Services Engine (ISE) is a Simple Certificate Enrollment Protocol (SCEP) proxy for a Windows certificate authority (CA) if you notice that a SCEP Network Device Enrollment Service (NDES) server registration authority (RA) certificate is installed in the ISE’s Certificate Store. Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT department.
The ISE is not a CA for the Windows Active Directory (AD) domain. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES server RA certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them.
The ISE does not require the CA in order to mitigate a Windows Server SCEP bug. However, configuring ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server does require the installation of some Microsoft SCEP implementation hotfixes.
There is nothing in this scenario to indicate that the ISE has been compromised. In addition, there is no reason to suspect that the CA chain has been altered.