Solved: Cisco ISE BYOD error "Certificate Generation Failed" when onboarding android using NSA

spitalfmi · ‎05-28-2018

Hi,

I have a problem with onboarding android devices in BYOD Single-SSID flow with ISE 2.4. I tried it with a android 8.0 and 7.0 device. After providing the network password in the cisco network assistant app, the error "Certificate Generation Failed" shows up.

Both devices are showing the same errors in the log:

2018.05.25 11:05:59 ERROR:ISEEnrollmentAsynchTask
2018.05.25 11:05:59 ERROR:java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.security.cert.Certificate.toString()' on a null object reference
2018.05.25 11:05:59 ERROR:Attempt to invoke virtual method 'java.lang.String java.security.cert.Certificate.toString()' on a null object reference

I followed the instructions given in this video, but no success: ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed) - YouTube

My AuthC rules for EST looks like this:

But I don't see any hits in live logs. PAP and CHAP are activated in allowed protocols.

Thanks and regards,
Marc

Jason Kunst · ‎05-29-2018

Please work through the tac

Sent from my iPhone

View solution in original post

Jason Kunst · ‎05-28-2018

When the network set up assistant asked you for a password did you enter your network credentials if so this is incorrect. The password it’s asking for is the pin or passcode lock for the phone.

spitalfmi · ‎05-29-2018

Tryied it with both pin and passcode but still no success. Error message is the same.

Jason Kunst · ‎05-29-2018

Please work through the tac

Sent from my iPhone

ciscoworlds · ‎06-26-2018

I'm just working on my learning lab, so it's not possible to contact with TAC. I searched the Internet and found some solutions, as also stated in this post, but it didn't work for me. Also after connecting to the network for the first time and entring BYOD information on the BYOD portal, phone asks me to login to that SSID, and pressing that prompt start up the whole byod from the beginning and I redirected to the first page of BYOD portal again and again.

Jason Kunst · ‎06-26-2018

If you’re running a fresh setup of ISE have you tried using the secure access wizard to get everything configured and working?

https://communities.cisco.com/docs/DOC-71189

https://communities.cisco.com/docs/DOC-68160

If you’re a cisco partner have you tried our dcloud demo for secure access wizard and/or mobility deep dive. These have working setups

ciscoworlds · ‎06-26-2018

This is not production network. I've built the lab to practice ISE and for this, I started with fresh install and followed steps 1 by 1 and don't want to use the wizard, even if that was the solution, for now only to get a deep understanding of what is happening.

I wonder why this simple thing should be such a cumbersome task. Do you have any idea about this message (certificate generation failed)? I actually have created a separate post for my issue which has screenshot of the configs at here: https://communities.cisco.com/thread/92886

Jason Kunst · ‎06-26-2018

I am looking for if you have a basic BYOD setup working first and then move forward with that. I will also reach out to our SME to see if he has a working setup for EST on 2.4

ciscoworlds · ‎06-26-2018

Thank u. I appreciate that. I just wonder why EST-related stuff hasn't be documented on Cisco ISE admin guide and Cisco Press books or even 3rd party videos?! It's interesting!

hslai · ‎06-26-2018

We tested it at our alpha yesterday.

ciscoworlds · ‎06-26-2018

Could you share the results and findings?

ciscoworlds · ‎06-26-2018

I read somewhere that EST is irrelevant while SCEP is in place. I'm using SCEP, as stated in the official guides and books. Could you confirm this please?