Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
229
Views
1
Helpful
3
Replies

Certificate Generation Failed BYOD

Ruelb2214
Level 1
Level 1

‎06-18-2024 04:06 AM

Hi,

We are new to implementing BYOD feature, currently running ISE v3.2p4 with WLC 3500 v8.10

Just tested with Android version 8, and every time we run the NSA and after input the user password (use for AD login and we are using PEAP to connect BYOD SSID) it shows Certificate Generation Failed.

I follow this link as recommended by Community but still failed.

ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed) (youtube.com)

And understand on the EST authentication it runs on TCP8084, I can confirm no block on the firewall but on the ISE itself the ports is not open, maybe I can start on this, how to make this port open? I did reload the ISE but still NOK.

Any Idea guys? I been stuck for 2weeks on this issue.

Ruelb2214_0-1718708647721.png

 

 

Labels:
0 Helpful
3 Replies 3

Ruelb2214
Level 1
Level 1

‎06-18-2024 04:08 AM

Just to add in the application status, the EST service is running

Ruelb2214_0-1718708889405.png

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎06-18-2024 03:29 PM

You will not see the TCP/8084 in the 'show ports' output as the EST server is running inside an nginx container on the node. See the following guide for more information and troubleshooting on EST.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-30/217161-ca-service-and-est-service-on-ise.html

The BYOD flow is quite complicated and can be difficult to troubleshoot in a community forum. If you have followed the guidance on the Android BYOD Provisioning Error "Certificate Generation Failed" post and are still having trouble, I would suggest opening a TAC case to investigate further. These issues require much more detail to troubleshoot and, if the issue is urgent, TAC is always your best bet.

Ruelb2214
Level 1
Level 1

‎07-01-2024 09:58 PM

Just to update:

I test on android device and collect the logs, I notice on the logs when the CNA running and installing the cert, it got the wrong cert, instead of using the portal cert it download/install the EAP/Radius cert. Do note I have cert signed by third-party CA for portal purpose only. I could understand that cert error because the fqdn of the redirection is not on the SAN of the cert (eap/radius).

I tried it also on Win10 it's the same issue, but when we have ISE v2.4 p7 we run on Win10 there was no issue.

My question is how does the CNA select a certificate? I have pending TAC open waiting for there comment.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents