Barco ClickShare CSE-800 Installation Manual page 67

Image 6-29
About NDES
The Network Device Enrolment Service is Microsoft's server implementation of the SCEP protocol. If you want to enable EAP-TLS
using SCEP make sure NDES is enabled, configured and running on your Windows Server. For more details about setting up NDES,
please visit the Microsoft website
this challenge can be retrieved from your server at: http(s)://[your-server-hostname]/CertSrv/mscep_admin.
When you enter the necessary credentials into the setup wizard, the Base Unit will automatically retrieve this challenge from the
web page and use it in the enrollment request, thereby fully automating the process.
Necessary Data to continue:
Domain
SCEP ServerIP/host-
name
SCEP User name
SCEP Password
Domain
Identity
Corporate SSID
Using manually upload of certificates
Select the radio button next to Provide certificates manually and click Next.
If your current setup does not support SCEP or you prefer not to use it but you still want to benefit of the mutual authentication
EAP-TLS offers, it is also possible to manually upload the necessary certificates.
4. NDES White Paper: http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs-en-us.aspx
R5900049 CLICKSHARE CSE-800 19/03/2018
4
. SCEP uses a so called "challenge password" to authenticate the enrollment request. For NDES,
The company domain for which you are enrolling, should match with the one defined in your Active
Directory.
This is the IP or hostname of the Windows Server in your network running the NDES service. Since
Internet Information Services (IIS) supports both HTTP and HTTPS, also include which of the two you
want to use. If not provided it will be default set to HTTP.
E.g.: http://myserver or https://10.192.5.1 or server.mycompany.com (will use http)
This is a user in your Active Directory which has the required permission to access the NDES
service and request the challenge password. To be sure of this, the user should be part of the CA
Administrators group (in case of a stand-alone CA) or have enroll permissions on the configured
certificate templates.
The corresponding password for the identity that you are using to authenticate on the corporate
network. Per Base Unit, every Button uses the same identity and password to connect to the
corporate network.
The company domain for which you are enrolling should match the one defined in your Active
Directory.
Identity of the user account in the Active Directory which will be used by the ClickShare Buttons to
connect to the corporate network. When using EAP-TLS make sure that the necessary mapping
exists between the Client Certificate issued by your CA and this user account.
The SSID of your corporate wireless infrastructure to which the ClickShare Buttons will connect.
6. CSE-800 Configurator
51