Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10798
Views
40
Helpful
33
Replies

Android 6.0 BYOD On-boarding fails with Certificate Generation Failed error using Network Setup Assistant 2.2.0.54

Go to solution
rick505d3
Level 1
Level 1

‎02-21-2017 03:08 AM - edited ‎03-11-2019 12:28 AM

Hi, Using ISE 2.2, Android 5.0 devices are successfully going through the BYOD provisioning flow. Android 6.0 devices, however, fail every time on "Installing Certificates..." screen on the agent with the message "Certificate Generation Failed". Error screenshot attached. This happens with both the Single-SSID or Dual-SSID method of on-boarding. The Dual-SSID method uses an Open Auth Guest WLAN and redirect to BYOD portal for qualified users. ISE, acting as Sub-CA to the corporate Root CA, issues certificates to the BYOD devices. The "spw.log" file on the Android 6.0 (Samsung, LG) device logs this after it downloads the xml file from ISE node: ..... 2017.02.21 16:33:32 INFO:EST Server =ise02.example.com 2017.02.21 16:33:32 INFO:EST Server port =8084 2017.02.21 16:33:32 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED 2017.02.21 16:33:54 INFO:Making SCEP call 2017.02.21 16:33:54 INFO:Generating RSA key with key size: 2048 2017.02.21 16:33:56 INFO:Going to call EST server with args: cn = stuarts@example.com, un= stuarts@example.com, sn= ise02.example.com, sp =8084, cur= P-384, ca_certs length = 8486 2017.02.21 16:33:56 INFO:Calling native logger init with : /storage/emulated/0/Download/estlog.txt 2017.02.21 16:33:56 INFO:SPW profile is having certificate parameters 2017.02.21 16:34:44 INFO:EnrollCert Native returned pem len = 16384 2017.02.21 16:34:44 ERROR:ISEEnrollmentAsynchTask 2017.02.21 16:34:44 ERROR:java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.security.cert.X509Certificate.toString()' on a null object reference 2017.02.21 16:34:44 ERROR:Attempt to invoke virtual method 'java.lang.String java.security.cert.X509Certificate.toString()' on a null object reference 2017.02.21 16:34:44 INFO:Internal system error. The same execution point in the "spw.log" for the Android 5.0 (Samsung) device goes through successfully: ..... 2017.02.21 17:03:35 INFO:EST Server =ise02.example.com 2017.02.21 17:03:35 INFO:EST Server port =8084 2017.02.21 17:03:35 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED 2017.02.21 17:03:35 INFO:Making SCEP call 2017.02.21 17:03:35 INFO:Generating RSA key with key size: 2048 2017.02.21 17:03:36 INFO:SPW profile is having certificate parameters 2017.02.21 17:03:36 INFO:Cert request pending - Making pending cert call 2017.02.21 17:03:38 INFO:checkServerTrusted call 2017.02.21 17:03:38 INFO:Generated cert from SCEP server = [0] Version: 3 ..... The closest I could find is this bug "CSCug69605" although the log message is different to what I get and using different ISE version Has any one seen this before? Any workaround? Regards, Rick.
5 people had this problem
Labels:
Preview file
860 KB
0 Helpful
33 Replies 33

Go to solution
suporte.it@telemont
Level 1
Level 1
In response to Dominic Stalder (old profile)

‎11-30-2018 07:42 AM

Same issue with ISE 2.2 and some few android (Samsung) devices.

 

TAC cant solve it either....

0 Helpful

Go to solution
suporte.it@telemont
Level 1
Level 1
In response to suporte.it@telemont

‎12-01-2018 02:25 AM

Finnaly solved it.

In our case, one of our PSN nodes had simply stopped responding in port 8084. We performed a reboot and PSN is now responding port 8084 as usual. Problem solved. No idea what could have caused this.

 

psn_port.gif

0 Helpful

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to suporte.it@telemont

‎12-03-2018 06:10 AM

Installed Cisco ISE 2.4 Patch 5 and rebooted both PSN, did not help with this problem, still no BYOD for any Android device / version.
0 Helpful

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to Dominic Stalder (old profile)

‎12-04-2018 02:39 AM

Hi guys

 

Got the estlog.txt from a colleague of mine with an Android 9.x phone and saw the following:

***EST [WARNING][est_client_connect:2217]--> 
Unable to connect to EST server at address byod-1.domain.com

Finally was able to solve the problem based on this information, was looking at the wrong place; the EST services were not running at all on our PSNs because we hit the following bug: CSCvj11319 (ISE 2.4 - EST Service not running after upgrade from 2.3). After re-generating the Cisco ISE CA certificate, the EST services are running again and the Android devices can onboard again.

 

Hope this helps someone else.

 

Best regards

Dominic

Customers Also Viewed These Support Documents