topic Certificate Generation Failed BYOD in Network Access Control

Certificate Generation Failed BYOD

Ruelb2214 — Tue, 18 Jun 2024 11:06:27 GMT

Hi,

We are new to implementing BYOD feature, currently running ISE v3.2p4 with WLC 3500 v8.10

Just tested with Android version 8, and every time we run the NSA and after input the user password (use for AD login and we are using PEAP to connect BYOD SSID) it shows Certificate Generation Failed.

I follow this link as recommended by Community but still failed.

ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed) (youtube.com)

And understand on the EST authentication it runs on TCP8084, I can confirm no block on the firewall but on the ISE itself the ports is not open, maybe I can start on this, how to make this port open? I did reload the ISE but still NOK.

Any Idea guys? I been stuck for 2weeks on this issue.

Re: Certificate Generation Failed BYOD

Ruelb2214 — Tue, 18 Jun 2024 11:08:19 GMT

Just to add in the application status, the EST service is running

Re: Certificate Generation Failed BYOD

Greg Gibbs — Tue, 18 Jun 2024 22:29:33 GMT

You will not see the TCP/8084 in the 'show ports' output as the EST server is running inside an nginx container on the node. See the following guide for more information and troubleshooting on EST.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

The BYOD flow is quite complicated and can be difficult to troubleshoot in a community forum. If you have followed the guidance on the Android BYOD Provisioning Error "Certificate Generation Failed" post and are still having trouble, I would suggest opening a TAC case to investigate further. These issues require much more detail to troubleshoot and, if the issue is urgent, TAC is always your best bet.

Re: Certificate Generation Failed BYOD

Ruelb2214 — Tue, 02 Jul 2024 04:58:38 GMT

Just to update:

I test on android device and collect the logs, I notice on the logs when the CNA running and installing the cert, it got the wrong cert, instead of using the portal cert it download/install the EAP/Radius cert. Do note I have cert signed by third-party CA for portal purpose only. I could understand that cert error because the fqdn of the redirection is not on the SAN of the cert (eap/radius).

I tried it also on Win10 it's the same issue, but when we have ISE v2.4 p7 we run on Win10 there was no issue.

My question is how does the CNA select a certificate? I have pending TAC open waiting for there comment.

Re: Certificate Generation Failed BYOD

Lubo1 — Mon, 08 Dec 2025 15:48:53 GMT

Hi, did you solve the issue? We are getting the same error "Certificate generation failed" (ISE is version 3.3.0, Android ver. 7, 8, 14, NSA ver. 2.4, 3.2). It is working on Apple/Windows. TAC case is opened for months with no progress at all. They are still "working hard" on it, but it seems they are "sleeping hard", as I read these old posts. Thank you.