02-21-2018 06:40 AM
Hello ISE experts
I'm facing different kind of issue with the BYOD On Boarding for Android devices
Background: I am trying to setup WI-FI Test lab setup with Dual SSID for Mobile On-boarding and Provisioning. When Tried to registering Android Mobile phone on On boarding WLAN, Authentication and registration works successfully. But after when try to download certificate from Cisco Network assistant App. It gives quite different error ( image attached) " unable to download profile.( ssl peer verification failed )" Please advise..!
WLC - 8.0.133 ( Internal and Anchor WLC)
ISE - 1.3 Patch 1,2 & 5 ( ISE Admin in Internal Network & in ISE -PSN in DMZ)
Window 2012 AD server integrated with ISE-PSN in DMZ
Solved! Go to Solution.
02-21-2018 08:57 AM
The error implies the NSA for Android unable to establish a good connection to the ISE PSN and likely due to some certificate exchange issue.
First of all, please get the client debug log "spw.log", which is usually located on Android /sdcards/downloads/spw.log, and check for the detail error in it. Secondly, you may perform a packet capture between the endpoint and ISE PSN and use Wireshark or the like to check the SSL exchanges. SSL - The Wireshark Wiki has info how to do it with Wireshark.
Please note that Cisco Identity Services Engine Software Version 1.3 - Cisco has reached the end of the SW maintenance so I would urge you to upgrade to a later release.
02-21-2018 08:57 AM
The error implies the NSA for Android unable to establish a good connection to the ISE PSN and likely due to some certificate exchange issue.
First of all, please get the client debug log "spw.log", which is usually located on Android /sdcards/downloads/spw.log, and check for the detail error in it. Secondly, you may perform a packet capture between the endpoint and ISE PSN and use Wireshark or the like to check the SSL exchanges. SSL - The Wireshark Wiki has info how to do it with Wireshark.
Please note that Cisco Identity Services Engine Software Version 1.3 - Cisco has reached the end of the SW maintenance so I would urge you to upgrade to a later release.
02-26-2018 08:11 AM
Many thanks hslai, That error has gone after replacing ISE-PSN IP address with Hostname FQDN in Byod Portal.
But now I am getting new kind of error
03-05-2018 08:05 AM
My Issue resolved after following checks. Thanks
- Imported Apex & Plus license in ISE provided by Cisco Tac
- Enabled Profiler feed update and posture database update in ISE settings
- Enabled Proxy settings on ISE to allow get update from Cisco site
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide