You want to configure Cisco ISE as a SCEP proxy to a Microsoft Windows 2008 R2 Server root CA. Which of the following also needs to be configured? (Select the best answer.)
- AD on the CA
- a root CA on the Cisco ISE
- a manually installed certificate on the connecting BYOD device
- NDES on a CA or domain member server
Microsoft Network Device Enrollment Service (NDES) on a certificate authority (CA) or domain member server also needs to be configured if you want to configure Cisco Identity Services Engine (ISE) as a Simple Certificate Enrollment Protocol (SCEP) proxy to a Microsoft Windows 2008 R2 Server root CA.
Implementing ISE as a SCEP proxy enables bring your own device (BYOD) users to register their devices on their own, without administrative overhead from the IT department.
You are not required to configure a root CA on the Cisco ISE. Configuring ISE as a SCEP proxy indicates that ISE communicates with the CA on the behalf of its client devices. However, the ISE does need to be configured with a SCEP CA profile. When configured with a SCEP CA profile, the ISE will contain a SCEP NDES server registration authority (RA) certificate in the Certificate Store. RAs verify requests for certificates and enable the CA to issue them.
You are not required to configure Active Directory (AD) on the CA. AD is typically configured on domain controllers, although member servers and workstations can connect to the AD domain.
You are not required to manually install a certificate on the connecting BYOD device. Manually installing a client certificate on the BYOD device would defeat the purpose of configuring the ISE as a SCEP proxy, because administrative intervention would be required.