One of the task requirements for R2 is "All client certificates should be automatically granted." Now that seems to translate to the command grant auto. However the command grand ra-auto is given in the solution.
R2(cs-server)#grant ?
auto Automatically grant incoming SCEP enrollment requests
none Automatically reject any incoming SCEP enrollment request
ra-auto Automatically grant RA-authorized incoming SCEP enrollment request
Additionally even though we have configure "grant ra-auto" we still need to grant the RA request. Why is this? Seems the "grant ra-auto" command should not require this.
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cfg-mng-cert-serv.html#GUID-FD9094A7-0DDF-42B1-8765-10862D4C160B
From the following documentation as long as we have given the OU=ioscs RA which we have it should be automatically approved.