Scep
These scenarios show how to configure the SCEP protocol to retrieve certificates from a PKI server.
Test SCEP Protocol With Linux PKI
Description
In this scenario, the SCEP protocol is used to retrieve digital certificates (X509) from a Linux PKI server.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR digest sha256 set system certificate scep csr CSR distinguished-names CN=MyUserCert set system certificate scep csr CSR encrypted-password U2FsdGVkX1/CvVvpFWZyo8cvXgm9ADw+5ICrC4qT9B4= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.144 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.144/0.144/0.144/0.000 ms
Step 3: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Jan 27 17:08:00 2026 GMT Jan 27 17:08:00 2027 GMT
Step 4: Run command pki show certificate running://auth/certificates/scep/CSR/ca/ca.der at DUT0 and check if output contains the following tokens:
Subject: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ESShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 7c:28:60:8a:6f:42:5d:c8:44:f0:10:0d:61:e5:ca:40:11:bc:ea:f2 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ES Validity Not Before: Apr 16 09:19:39 2025 GMT Not After : Apr 11 09:19:39 2045 GMT Subject: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ES Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:de:b7:3b:d9:9b:e3:d3:57:9b:b0:33:67:c0:40: 4f:45:84:ea:c2:35:a6:08:3b:3a:fd:6d:fa:d7:2b: 3d:7f:1c:a1:92:15:08:8b:5c:02:ec:6a:66:46:c5: 6f:7f:9b:9d:c3:86:e1:97:47:9b:5e:ea:96:5b:bf: 68:35:96:4f:6e:64:c6:7d:f6:da:6b:f9:bf:98:b1: 32:63:ae:f4:5b:2f:cd:6d:d7:ef:db:01:12:b0:a4: 54:95:6e:e8:84:4a:0a:f1:13:83:13:a1:7a:1d:f4: 06:3f:e3:53:5d:9f:68:a1:a0:5c:51:05:ba:8c:da: 00:11:64:4b:e8:37:c3:70:43:9c:16:dd:46:fb:34: e4:3c:ae:a4:9a:a1:da:cf:a1:f5:93:13:a6:0e:68: 51:31:f7:26:63:a3:8b:47:c3:94:e4:34:d2:b0:36: cf:22:e5:81:dd:a4:01:e8:79:08:37:ad:7a:b9:da: 24:37:cc:53:f4:51:f8:b5:67:09:15:63:52:60:7f: b0:e2:f0:38:cd:3c:13:42:81:5f:e2:dd:e2:c5:37: f3:ef:05:8c:85:2f:2a:0a:f4:94:2f:70:56:7f:7d: a9:f6:ca:69:0b:a7:40:e1:fa:bc:f0:f4:01:7a:76: 55:f4:2a:57:43:8b:f1:87:58:f2:f4:db:23:26:33: f8:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: D3:97:2E:56:37:6A:89:77:01:D4:E3:42:0D:EC:E7:10:79:9C:E8:7C X509v3 Authority Key Identifier: keyid:D3:97:2E:56:37:6A:89:77:01:D4:E3:42:0D:EC:E7:10:79:9C:E8:7C DirName:/CN=Teldat-PKI/O=Teldat/L=Madrid/C=ES serial:7C:28:60:8A:6F:42:5D:C8:44:F0:10:0D:61:E5:CA:40:11:BC:EA:F2 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption Signature Value: 5e:0d:47:96:a2:24:38:fa:62:5b:0c:c2:4e:59:23:79:40:1b: 88:d1:63:11:0b:ce:bc:63:46:cd:70:33:52:75:4b:85:c1:39: be:3c:ce:7c:66:53:63:b4:39:07:ec:ef:52:fe:fa:dc:c1:fb: e4:51:61:28:58:4f:90:71:83:50:7d:62:a9:16:fa:45:89:08: 5f:39:43:6a:b1:bb:ad:4e:6f:50:bc:07:4f:1c:5b:07:df:63: ec:44:20:48:b6:97:00:e2:9d:8e:42:9e:96:5f:71:7a:43:96: de:fd:66:6b:45:85:5d:e4:dc:bf:e9:34:64:4f:3a:7b:33:a0: 54:80:3b:9a:5b:1f:3f:3f:1c:09:a3:8e:d8:b6:2a:ba:b2:07: 87:fa:0f:a5:69:41:06:b1:14:6f:09:4f:bb:88:60:87:70:83: 31:73:ed:2a:03:ca:3c:19:0a:b2:24:61:c6:ce:09:97:ac:6e: da:cb:47:88:c5:f5:a7:74:d2:96:e0:cc:c3:b6:b7:f6:64:9f: ad:1c:7f:36:fd:39:7c:57:54:a5:e9:8a:82:90:4d:cd:74:99: 27:4d:f6:62:a6:96:c5:6e:d3:02:ec:c1:4d:5f:46:b6:82:75: 12:61:d7:a3:d6:70:f6:35:9d:9c:30:06:84:af:b2:cb:a5:a0: 5e:d3:1d:6c
Step 5: Run command pki show certificate running://auth/certificates/scep/CSR/user/cert at DUT0 and check if output contains the following tokens:
Subject: CN = MyUserCertShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ES Validity Not Before: Jan 27 17:08:00 2026 GMT Not After : Jan 27 17:08:00 2027 GMT Subject: CN = MyUserCert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:46:20:b8:7b:c5:e3:b0:f9:10:f5:b2:36:3e: a6:a5:2f:ee:58:cc:e7:d4:ce:a9:75:d2:66:5d:23: d7:41:4a:2e:bf:ef:7b:47:00:fe:9e:8b:ca:06:27: 97:3e:7e:ae:5f:68:72:9c:36:54:70:3c:ce:35:cd: c6:d3:b6:69:2e:38:92:18:f7:97:d0:5c:a0:cc:eb: 1d:4c:fa:16:4b:f9:a8:f8:ef:d4:cf:35:6d:90:c7: fb:24:51:d5:6c:59:59:e4:36:2d:0a:cc:8f:42:76: 24:c6:1a:f3:18:65:6a:fc:f3:c6:4e:a5:5d:53:3a: 47:0d:76:59:fa:dd:e3:df:f0:cd:32:17:c8:9f:da: dc:7c:06:ae:83:4b:c4:30:3f:00:9b:58:57:a5:91: 50:76:ff:13:99:b3:a3:a3:a3:81:28:a0:38:49:d4: f0:10:25:5d:29:a9:17:c2:ca:e6:35:de:f1:38:5a: 49:ec:3b:3f:1f:f4:3f:a2:3c:73:77:a0:25:16:df: b8:04:1b:6f:25:30:54:9a:83:b4:e7:d4:a3:17:86: ef:48:3f:d7:88:c4:50:a9:ee:a7:d8:12:e8:ba:a6: 9b:71:0a:7b:01:a6:bb:90:63:fa:6d:f2:36:65:28: 93:ef:ab:3b:8c:cc:fe:e1:95:4c:62:d8:97:a0:02: df:37 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Key Identifier: 9A:19:6B:C6:68:B9:52:E5:2F:5E:D7:41:81:0C:06:42:9C:E7:88:E0 X509v3 Authority Key Identifier: D3:97:2E:56:37:6A:89:77:01:D4:E3:42:0D:EC:E7:10:79:9C:E8:7C Signature Algorithm: sha256WithRSAEncryption Signature Value: 9c:82:dd:89:a1:51:24:7b:a4:d7:8a:d4:78:ee:98:1b:9e:c4: 61:c3:44:46:9e:1f:90:03:3b:23:98:42:d6:c9:72:69:a7:f4: de:31:a0:69:0f:fb:dd:79:66:fb:28:6f:39:76:a8:84:f3:4c: a1:3e:3d:fd:9e:1f:15:97:50:94:83:05:d5:76:fc:28:24:c7: 14:08:57:27:0f:87:30:a7:5f:09:2d:4f:22:68:1e:4d:2b:25: bf:c8:1f:83:34:b4:0a:54:63:aa:aa:20:d3:b7:13:ed:32:c3: 8c:bb:90:39:44:01:a1:46:fe:8d:5e:a4:c5:bf:8b:13:31:87: 05:a8:48:bd:30:38:05:5e:3c:3f:8c:37:26:c3:bc:d8:55:6a: 44:b4:8c:b6:dc:84:e5:54:c3:e5:df:85:a2:df:ac:72:a9:32: de:da:7d:cb:2d:f5:1d:65:13:5b:e6:df:db:bc:95:a9:ea:01: 33:9d:8f:3f:d0:48:1c:04:30:ab:7e:8b:f8:e9:aa:f8:fb:00: 43:a5:d9:58:09:6d:45:24:a2:65:d6:4b:b4:7c:03:9d:79:be: bf:c8:76:a2:b8:39:0c:c8:9e:b4:ab:36:ef:f4:23:81:4e:8d: 2c:53:68:f9:b5:b8:f1:61:b0:07:d7:4b:d1:6f:9c:96:b9:0e: a3:31:c0:89
Test SCEP Protocol With Windows Server PKI
Description
In this scenario, the SCEP protocol is used to retrieve digital certificates (X509) from a Windows PKI server.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=MyUserCert set system certificate scep csr CSR encrypted-password U2FsdGVkX18h6UTFSNRQkWBayAqk//W6HVwHhhYFtbcW2JKE/7cB7ytAxdpQKnOdTWAYpoSUqhPkFgUT8AOVew== set system certificate scep csr CSR url 'http://192.168.213.25/' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.153 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.153/0.153/0.153/0.000 ms
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.549 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.549/0.549/0.549/0.000 ms
Step 4: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Jan 9 09:34:41 2026 GMT Jan 9 09:44:41 2056 GMT ra Valid Encipherment Jan 9 09:37:26 2026 GMT Jan 9 09:37:26 2028 GMT ra-2 Valid Signature Jan 9 09:37:25 2026 GMT Jan 9 09:37:25 2028 GMT usercert Valid - Jan 27 16:39:57 2026 GMT Jan 27 16:49:57 2028 GMT
Step 5: Run command pki show certificate running://auth/certificates/scep/CSR/ca/ca.der at DUT0 and check if output contains the following tokens:
Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CAShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 2e:aa:77:9e:fd:8d:47:8d:42:5f:96:57:64:8a:da:d1 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Jan 9 09:34:41 2026 GMT Not After : Jan 9 09:44:41 2056 GMT Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:22:9c:cd:53:99:06:1b:31:57:cd:72:1b:d7: 5d:99:b4:e2:e1:88:80:d4:40:53:49:be:ff:e0:5b: 8b:41:8c:96:e8:99:cd:19:ab:98:4c:99:77:ad:01: fc:51:cf:ea:d8:43:fc:5b:d2:dd:b5:05:04:ae:01: 28:e9:53:5d:bb:d2:65:71:d9:69:3c:04:4d:6b:6e: 8b:95:92:e4:e7:84:57:90:b3:5e:1f:76:34:7f:15: e2:fb:c0:78:bb:ec:a5:be:2f:33:9e:98:06:f1:4c: 1f:cc:ee:85:c2:f1:8f:3c:23:52:a2:94:af:0e:b8: d2:e3:0c:b7:07:49:b9:91:87:3e:76:89:61:f0:88: 4c:2f:da:6b:b9:75:93:6e:e4:e2:f1:19:48:00:f7: af:1b:70:19:15:2b:30:b3:78:24:dc:14:c4:e8:a0: 61:f9:68:09:7d:e9:3e:6f:e0:a3:44:d5:43:f8:78: aa:5f:a8:7a:3a:7c:2c:4e:21:69:24:be:2f:cb:57: bd:60:e8:b9:a5:3b:ad:0c:7b:d9:8d:82:3e:13:96: 8b:59:5a:2b:ec:b6:63:33:21:69:a5:30:b6:bb:84: e9:80:8d:db:3c:94:f7:52:05:76:6a:ed:d6:03:24: d8:97:46:a4:15:41:4d:17:98:7d:20:64:ac:fb:e9: 30:1d Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 18:DA:43:2C:11:47:FC:1A:DA:19:D4:6C:8B:2D:58:AA:75:ED:17:94 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 3b:f8:53:b9:17:78:98:fa:4a:63:a8:5b:57:bc:f6:67:d8:47: 48:8a:22:2f:d8:39:22:44:c9:f8:aa:fd:e8:81:13:c4:5f:9b: b2:72:0a:35:b1:0c:64:ff:ff:89:05:f0:d7:2a:e4:5f:da:6b: 7b:90:88:5e:6c:77:e5:17:83:19:43:10:35:f8:b5:e3:b8:b5: 16:c1:79:5e:cc:71:00:91:6a:aa:b7:7e:e8:35:99:b3:74:c1: b7:d9:93:8c:6b:4e:64:5a:0a:aa:09:ce:00:d6:f2:f0:f6:87: ec:cd:dc:d0:07:d5:cb:6d:7f:34:72:80:7b:8c:71:f3:d8:f6: a4:38:45:0e:19:79:bd:07:d6:91:a0:4f:4f:2e:55:f1:ca:f7: f3:b1:94:33:7b:f0:76:2b:10:d6:9b:49:ef:96:83:f3:f5:2e: b3:c4:48:13:2f:19:f3:18:7f:4c:7a:09:79:3b:52:94:d9:86: 65:58:32:34:ba:89:6e:54:99:ab:12:7b:f5:3d:61:f3:39:22: 08:ef:7b:77:ba:95:7e:8e:ca:51:4d:80:45:2b:43:d8:b1:37: fb:0c:69:7a:c8:5c:dc:4c:16:5f:a1:09:5c:d6:85:ed:93:76: fa:56:67:fe:fc:97:3c:8d:f8:3c:39:d7:31:07:e6:69:42:3d: 3d:d2:86:1e
Step 6: Run command pki show certificate running://auth/certificates/scep/CSR/user/cert at DUT0 and check if output contains the following tokens:
Subject: CN = MyUserCertShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 11:00:00:03:01:13:72:12:43:68:8b:cb:5c:00:00:00:00:03:01 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Jan 27 16:39:57 2026 GMT Not After : Jan 27 16:49:57 2028 GMT Subject: CN = MyUserCert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cc:10:7c:b0:33:86:ef:23:c5:68:35:1a:51:11: a0:c1:de:b7:79:cb:81:53:a1:58:92:94:54:4d:b2: 56:11:75:d4:08:32:78:12:39:76:f1:cb:be:63:a0: b7:2f:aa:a2:52:2f:e6:83:30:53:df:cf:31:d7:4f: ab:0a:da:34:d7:51:fb:a9:e6:c1:b9:84:f4:6f:21: d9:46:26:a8:8a:22:ac:c0:51:7a:ac:66:b8:77:af: 80:b3:51:78:20:bd:03:f0:19:81:3c:24:d7:e4:9f: 2a:04:e7:bb:f9:61:1c:6c:34:3c:7a:24:f2:18:76: be:92:6b:ab:be:1d:a0:c6:cd:2d:0e:fb:8f:ce:83: e0:94:dc:39:00:49:3c:25:18:89:7b:1b:e1:33:57: a0:fc:e6:03:94:0d:fe:45:55:30:a5:61:dd:eb:c4: df:0c:5f:a1:1a:81:4e:88:2a:9d:69:2e:22:59:bf: 75:17:6f:a0:dd:a7:0e:f4:26:2f:3b:4b:35:57:bf: 78:ca:e3:3e:77:46:f7:7c:dc:12:08:49:11:1c:98: b5:e9:aa:b3:c6:99:b9:6a:a0:3f:a9:bf:e7:51:d9: 43:1e:e9:cb:d1:8f:de:3f:02:19:66:31:f3:87:29: c1:1f:c8:df:d6:da:09:2d:6e:4d:64:9e:d8:e9:d0: 6e:43 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: C4:22:5D:94:62:FA:13:2A:B4:EE:FB:54:FE:C7:57:C5:EB:2A:10:4A X509v3 Authority Key Identifier: 18:DA:43:2C:11:47:FC:1A:DA:19:D4:6C:8B:2D:58:AA:75:ED:17:94 X509v3 CRL Distribution Points: Full Name: URI:ldap:///CN=scep-TELDATPKI-CA,CN=TeldatPKI,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d... X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 31:5b:d8:45:1a:4a:05:23:e9:04:a6:a5:4d:a5:e7:e8:0d:35: 45:1f:ab:4c:6d:ba:60:03:1b:9c:04:05:c6:90:ca:7c:b9:07: 0e:fb:95:1c:43:4d:79:0c:49:09:07:46:4b:fb:17:ee:94:c4: 88:91:d6:49:e1:9a:ac:77:17:a9:87:cd:eb:7c:19:19:44:92: 6a:ec:b0:4a:39:af:76:f1:1a:66:2e:f8:eb:c3:4b:2c:09:9e: 6a:0c:26:23:b7:23:c6:7b:03:af:c2:59:19:3e:3b:53:e4:ee: ae:18:59:16:d8:ac:4b:4d:05:53:3f:9d:7b:42:24:94:55:c3: 61:f7:19:0f:03:43:a9:b2:5c:da:a2:b1:84:bd:fd:71:35:05: 43:38:d8:88:91:0e:f5:7d:3a:56:a8:a9:3e:ee:34:d7:b4:c5: 45:a7:9e:6f:03:a6:59:b0:82:20:71:d3:79:4d:ce:0b:65:50: 09:b0:4c:24:5e:b0:b4:cf:68:ad:3b:7b:2c:87:53:a1:c4:af: fd:e4:16:d8:ef:40:e9:12:ad:b0:a3:d3:65:c7:68:cf:71:11: a6:90:84:7f:66:f2:2c:3e:8e:4d:db:df:60:0c:09:3d:34:89: ba:1d:42:50:2f:87:b0:ce:7d:0e:0c:f1:a1:72:d3:48:b3:be: 18:8c:01:e9