Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Android 6.0 BYOD On-boarding fails with Certificate Generation Failed error using Network Setup Assistant

Hi, Using ISE 2.2, Android 5.0 devices are successfully going through the BYOD provisioning flow. Android 6.0 devices, however, fail every time on "Installing Certificates..." screen on the agent with the message "Certificate Generation Failed". Error screenshot attached. This happens with both the Single-SSID or Dual-SSID method of on-boarding. The Dual-SSID method uses an Open Auth Guest WLAN and redirect to BYOD portal for qualified users. ISE, acting as Sub-CA to the corporate Root CA, issues certificates to the BYOD devices. The "spw.log" file on the Android 6.0 (Samsung, LG) device logs this after it downloads the xml file from ISE node: ..... 2017.02.21 16:33:32 INFO:EST Server 2017.02.21 16:33:32 INFO:EST Server port =8084 2017.02.21 16:33:32 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED 2017.02.21 16:33:54 INFO:Making SCEP call 2017.02.21 16:33:54 INFO:Generating RSA key with key size: 2048 2017.02.21 16:33:56 INFO:Going to call EST server with args: cn =, un=, sn=, sp =8084, cur= P-384, ca_certs length = 8486 2017.02.21 16:33:56 INFO:Calling native logger init with : /storage/emulated/0/Download/estlog.txt 2017.02.21 16:33:56 INFO:SPW profile is having certificate parameters 2017.02.21 16:34:44 INFO:EnrollCert Native returned pem len = 16384 2017.02.21 16:34:44 ERROR:ISEEnrollmentAsynchTask 2017.02.21 16:34:44 ERROR:java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String' on a null object reference 2017.02.21 16:34:44 ERROR:Attempt to invoke virtual method 'java.lang.String' on a null object reference 2017.02.21 16:34:44 INFO:Internal system error. The same execution point in the "spw.log" for the Android 5.0 (Samsung) device goes through successfully: ..... 2017.02.21 17:03:35 INFO:EST Server 2017.02.21 17:03:35 INFO:EST Server port =8084 2017.02.21 17:03:35 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED 2017.02.21 17:03:35 INFO:Making SCEP call 2017.02.21 17:03:35 INFO:Generating RSA key with key size: 2048 2017.02.21 17:03:36 INFO:SPW profile is having certificate parameters 2017.02.21 17:03:36 INFO:Cert request pending - Making pending cert call 2017.02.21 17:03:38 INFO:checkServerTrusted call 2017.02.21 17:03:38 INFO:Generated cert from SCEP server = [0] Version: 3 ..... The closest I could find is this bug "CSCug69605" although the log message is different to what I get and using different ISE version Has any one seen this before? Any workaround? Regards, Rick.


You need to create a condition for authentication with these parameters too. Looking into my android logs I've seen the errors below: So there's no match in my Wireless 802.1x authentication or authorization rule, because for certificate to be installed it's used PAP/ASCII and HTTP authentication.  Now everything works fine!


***EST [INFO][est_io_get_response:1221]-->
HTTP status 401 received

***EST [INFO][est_io_get_response:1253]-->
EST server requesting user authentication

***EST [WARNING][est_client_send_enroll_request:1358]-->
HTTP auth failure

***EST [INFO][est_client_enroll_req:1562]-->
HTTP Authorization failed. Requested auth mode = 3


**Insert this Conditions to your Authentication Rules**

Cisco: cisco-av-pair EQUALS est-csr-request=true
Network Access NetworkDeviceName EQUALS ISE_EST_Local_Host


Still experiencing same error... the authC and authZ did not work! :(

Video of issue:

@howon filed CSCvm62804 to get legacy flow back:

Currently, the dictionary attribute is broken, so here is another related defect: CSCvm62783


Please open SR with TAC

Hi Already did the config before since we encountered this issue last year December 2017, now that we are upgraded to 2.4 last August suddenly Android phone wasnt able to generate the certificate using NSP this week only. Im not sure if this is because of the 3rd party certificate but it will expire by December 2018. Is this a bug or anyone resolved this already with 2.4 path 1?



Any feedback on this? Still experiencing same issue with 2.4 patch 1 for all android phones... Cisco TAC was not able to resolve the issue..

There is a workaround suggested in the 2nd defect - 

Manually configure condition in-line using 'Cisco:cisco-av-pair EQUALS est-csr-request=true' instead


Can you please give it a try.




Hi Nidhi,


As I've said in my previous message, already encountered this before and did your recommendation. This was resolve in ISE 2.2. Now that I'm upgraded to 2.4 patch 1, this issue recur again without any changes in config. The BYOD is running smoothly before for more than a month with version 2.4.


Last week, suddenly "CERTIFICATE GENERATION FAILED" encountered again for Android phone. Already have TAC and recommended same issue. They re enter again the condition and still not working. Been engage with TAC for 6days and no resolution yet :( I ask if there's reported same issue (global) from their file and its first time they encountered this issue for Cisco ISE 2.4


They will try to replicate using my backup config and check if will work in their lab environment...


But I read some statement above that issue is not resolve. 




Hi Cammy


I face the same problem with Cisco ISE 2.4 Patch 4; it worked with Cisco ISE 2.2 and Android 8, but now this fails after the upgrade to 2.4. I already created a new policy with "Cisco: cisco-av-pair Equals est-csr-request=true", but this didn't help, it does not get hit.


Did you get any news from Cisco TAC?


Best regards


Hi Jason

yes, for me it is the same situation / problem, but the provided solution in this how to does not solve the problems on Cisco ISE 2.4, but it worked for our old Cisco ISE 2.2 cluster.


Thank you please continue through TAC. Let us know any updates and will check internally as well

View solution in original post

All I can think of is if the necessary ports are opened for the clients but likely it’s the same for your 2.2 setup

As on my side, I double checked the ACL on the Cisco WLC and all necessary ports (especially TCP/8084) is opened, no changes since upgrade from Cisco ISE 2.2 to 2.4.

I assumed that please work through the TAC and let us know

Hi cammy


have you been working on the TAC case lately and do you have a resolution for the problem with Cisco ISE 2.4 and the BYOD flow?


Thanks and best regards


Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel