cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4123
Views
6
Helpful
3
Replies

Android : unable to download profile.( ssl peer verification failed )

vinmangal
Level 1
Level 1

Hello ISE experts

I'm facing different kind of issue with the BYOD On Boarding for Android devices

Background: I am trying to setup WI-FI Test lab setup with Dual SSID for Mobile On-boarding and Provisioning. When Tried to registering Android Mobile phone on On boarding WLAN, Authentication and registration works successfully. But after when try to download certificate from Cisco Network assistant App. It gives quite different error ( image attached) " unable to download profile.( ssl peer verification failed )" Please advise..!

WLC - 8.0.133 ( Internal and Anchor WLC)

ISE - 1.3 Patch 1,2 & 5 ( ISE Admin in Internal Network & in ISE -PSN in DMZ)

Window 2012 AD server integrated with ISE-PSN in DMZ

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

The error implies the NSA for Android unable to establish a good connection to the ISE PSN and likely due to some certificate exchange issue.

First of all, please get the client debug log "spw.log", which is usually located on Android /sdcards/downloads/spw.log, and check for the detail error in it. Secondly, you may perform a packet capture between the endpoint and ISE PSN and use Wireshark or the like to check the SSL exchanges. SSL - The Wireshark Wiki has info how to do it with Wireshark.

Please note that Cisco Identity Services Engine Software Version 1.3 - Cisco has reached the end of the SW maintenance so I would urge you to upgrade to a later release.

View solution in original post

3 Replies 3

hslai
Cisco Employee
Cisco Employee

The error implies the NSA for Android unable to establish a good connection to the ISE PSN and likely due to some certificate exchange issue.

First of all, please get the client debug log "spw.log", which is usually located on Android /sdcards/downloads/spw.log, and check for the detail error in it. Secondly, you may perform a packet capture between the endpoint and ISE PSN and use Wireshark or the like to check the SSL exchanges. SSL - The Wireshark Wiki has info how to do it with Wireshark.

Please note that Cisco Identity Services Engine Software Version 1.3 - Cisco has reached the end of the SW maintenance so I would urge you to upgrade to a later release.

Many thanks hslai, That error has gone after replacing ISE-PSN IP address with Hostname FQDN in Byod Portal.

But now I am getting new kind of error

IMG-20180226-WA0005.jpg

My Issue resolved after following checks. Thanks

- Imported Apex & Plus license in ISE provided by Cisco Tac

- Enabled Profiler feed update and posture database update in ISE settings

- Enabled Proxy settings on ISE to allow get update from Cisco site

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: