Solved: Re: Android 6.0 BYOD On-boarding fails with Certificate Generation Failed error using Network Setup ... - Page 2

rick505d3 · ‎02-21-2017

Hi, Using ISE 2.2, Android 5.0 devices are successfully going through the BYOD provisioning flow. Android 6.0 devices, however, fail every time on "Installing Certificates..." screen on the agent with the message "Certificate Generation Failed". Error screenshot attached. This happens with both the Single-SSID or Dual-SSID method of on-boarding. The Dual-SSID method uses an Open Auth Guest WLAN and redirect to BYOD portal for qualified users. ISE, acting as Sub-CA to the corporate Root CA, issues certificates to the BYOD devices. The "spw.log" file on the Android 6.0 (Samsung, LG) device logs this after it downloads the xml file from ISE node: ..... 2017.02.21 16:33:32 INFO:EST Server =ise02.example.com 2017.02.21 16:33:32 INFO:EST Server port =8084 2017.02.21 16:33:32 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED 2017.02.21 16:33:54 INFO:Making SCEP call 2017.02.21 16:33:54 INFO:Generating RSA key with key size: 2048 2017.02.21 16:33:56 INFO:Going to call EST server with args: cn = stuarts@example.com, un= stuarts@example.com, sn= ise02.example.com, sp =8084, cur= P-384, ca_certs length = 8486 2017.02.21 16:33:56 INFO:Calling native logger init with : /storage/emulated/0/Download/estlog.txt 2017.02.21 16:33:56 INFO:SPW profile is having certificate parameters 2017.02.21 16:34:44 INFO:EnrollCert Native returned pem len = 16384 2017.02.21 16:34:44 ERROR:ISEEnrollmentAsynchTask 2017.02.21 16:34:44 ERROR:java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.security.cert.X509Certificate.toString()' on a null object reference 2017.02.21 16:34:44 ERROR:Attempt to invoke virtual method 'java.lang.String java.security.cert.X509Certificate.toString()' on a null object reference 2017.02.21 16:34:44 INFO:Internal system error. The same execution point in the "spw.log" for the Android 5.0 (Samsung) device goes through successfully: ..... 2017.02.21 17:03:35 INFO:EST Server =ise02.example.com 2017.02.21 17:03:35 INFO:EST Server port =8084 2017.02.21 17:03:35 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED 2017.02.21 17:03:35 INFO:Making SCEP call 2017.02.21 17:03:35 INFO:Generating RSA key with key size: 2048 2017.02.21 17:03:36 INFO:SPW profile is having certificate parameters 2017.02.21 17:03:36 INFO:Cert request pending - Making pending cert call 2017.02.21 17:03:38 INFO:checkServerTrusted call 2017.02.21 17:03:38 INFO:Generated cert from SCEP server = [0] Version: 3 ..... The closest I could find is this bug "CSCug69605" although the log message is different to what I get and using different ISE version Has any one seen this before? Any workaround? Regards, Rick.

Mafiaboy401 · ‎09-03-2018

Hello,

You need to create a condition for authentication with these parameters too. Looking into my android logs I've seen the errors below: So there's no match in my Wireless 802.1x authentication or authorization rule, because for certificate to be installed it's used PAP/ASCII and HTTP authentication. Now everything works fine!

***EST [INFO][est_io_get_response:1221]-->
HTTP status 401 received

***EST [INFO][est_io_get_response:1253]-->
EST server requesting user authentication

***EST [WARNING][est_client_send_enroll_request:1358]-->
HTTP auth failure

***EST [INFO][est_client_enroll_req:1562]-->
HTTP Authorization failed. Requested auth mode = 3

**Insert this Conditions to your Authentication Rules**

Cisco: cisco-av-pair EQUALS est-csr-request=true
Network Access NetworkDeviceName EQUALS ISE_EST_Local_Host

cammy.busto · ‎09-26-2018

Still experiencing same error... the authC and authZ did not work! :(

Jason Kunst · ‎09-27-2018

Video of issue: https://www.youtube.com/watch?v=z0sRiffVdpg

@howon filed CSCvm62804 to get legacy flow back:

Currently, the dictionary attribute is broken, so here is another related defect: CSCvm62783

Please open SR with TAC

cammy.busto · ‎09-27-2018

Hi Already did the config before since we encountered this issue last year December 2017, now that we are upgraded to 2.4 last August suddenly Android phone wasnt able to generate the certificate using NSP this week only. Im not sure if this is because of the 3rd party certificate but it will expire by December 2018. Is this a bug or anyone resolved this already with 2.4 path 1?

cammy.busto · ‎10-02-2018

Hi,

Any feedback on this? Still experiencing same issue with 2.4 patch 1 for all android phones... Cisco TAC was not able to resolve the issue..

Nidhi · ‎10-02-2018

There is a workaround suggested in the 2nd defect -

Workaround:
Manually configure condition in-line using 'Cisco:cisco-av-pair EQUALS est-csr-request=true' instead

Can you please give it a try.

Thanks,

Nidhi

cammy.busto · ‎10-03-2018

Hi Nidhi,

As I've said in my previous message, already encountered this before and did your recommendation. This was resolve in ISE 2.2. Now that I'm upgraded to 2.4 patch 1, this issue recur again without any changes in config. The BYOD is running smoothly before for more than a month with version 2.4.

Last week, suddenly "CERTIFICATE GENERATION FAILED" encountered again for Android phone. Already have TAC and recommended same issue. They re enter again the condition and still not working. Been engage with TAC for 6days and no resolution yet :( I ask if there's reported same issue (global) from their file and its first time they encountered this issue for Cisco ISE 2.4

They will try to replicate using my backup config and check if will work in their lab environment...

But I read some statement above that issue is not resolve.

Dominic Stalder (old profile) · ‎11-12-2018

Hi Cammy

I face the same problem with Cisco ISE 2.4 Patch 4; it worked with Cisco ISE 2.2 and Android 8, but now this fails after the upgrade to 2.4. I already created a new policy with "Cisco: cisco-av-pair Equals est-csr-request=true", but this didn't help, it does not get hit.

Did you get any news from Cisco TAC?

Best regards

Dominic

Jason Kunst · ‎11-12-2018

Is this the same?
https://community.cisco.com/t5/security-documents/android-byod-provisioning-error-quot-certificate-generation/ta-p/3733734/message-revision/3733734:2

Dominic Stalder (old profile) · ‎11-12-2018

Hi Jason

yes, for me it is the same situation / problem, but the provided solution in this how to does not solve the problems on Cisco ISE 2.4, but it worked for our old Cisco ISE 2.2 cluster.

Regards
Dominic

Jason Kunst · ‎11-13-2018

Thank you please continue through TAC. Let us know any updates and will check internally as well

Jason Kunst · ‎11-14-2018

All I can think of is if the necessary ports are opened for the clients but likely it’s the same for your 2.2 setup

Dominic Stalder (old profile) · ‎11-14-2018

As on my side, I double checked the ACL on the Cisco WLC and all necessary ports (especially TCP/8084) is opened, no changes since upgrade from Cisco ISE 2.2 to 2.4.

Jason Kunst · ‎11-14-2018

I assumed that please work through the TAC and let us know

Dominic Stalder (old profile) · ‎11-30-2018

Hi cammy

have you been working on the TAC case lately and do you have a resolution for the problem with Cisco ISE 2.4 and the BYOD flow?

Thanks and best regards

Dominic

Android 6.0 BYOD On-boarding fails with Certificate Generation Failed error using Network Setup Assistant 2.2.0.54