cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3880
Views
2
Helpful
11
Replies

Cisco ISE BYOD error "Certificate Generation Failed" when onboarding android using NSA

spitalfmi
Level 1
Level 1

Hi,

I have a problem with onboarding android devices in BYOD Single-SSID flow with ISE 2.4. I tried it with a android 8.0 and 7.0 device. After providing the network password in the cisco network assistant app, the error "Certificate Generation Failed" shows up.

Both devices are showing the same errors in the log:

2018.05.25 11:05:59 ERROR:ISEEnrollmentAsynchTask
2018.05.25 11:05:59 ERROR:java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String java.security.cert.Certificate.toString()' on a null object reference
2018.05.25 11:05:59 ERROR:Attempt to invoke virtual method 'java.lang.String java.security.cert.Certificate.toString()' on a null object reference

I followed the instructions given in this video, but no success: ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed) - YouTube

My AuthC rules for EST looks like this:

Unbenannt.jpg

But I don't see any hits in live logs. PAP and CHAP are activated in allowed protocols.

Thanks and regards,
Marc

1 Accepted Solution

Accepted Solutions

Please work through the tac

Sent from my iPhone

View solution in original post

11 Replies 11

Jason Kunst
Cisco Employee
Cisco Employee

When the network set up assistant asked you for a password did you enter your network credentials if so this is incorrect. The password it’s asking for is the pin or passcode lock for the phone.

Tryied it with both pin and passcode but still no success. Error message is the same.

Please work through the tac

Sent from my iPhone

I'm just working on my learning lab, so it's not possible to contact with TAC. I searched the Internet and found some solutions, as also stated in this post, but it didn't work for me. Also after connecting to the network for the first time and entring BYOD information on the BYOD portal, phone asks me to login to that SSID, and pressing that prompt start up the whole byod from the beginning and I redirected to the first page of BYOD portal again and again.

If you’re running a fresh setup of ISE have you tried using the secure access wizard to get everything configured and working?

https://communities.cisco.com/docs/DOC-71189

https://communities.cisco.com/docs/DOC-68160

If you’re a cisco partner have you tried our dcloud demo for secure access wizard and/or mobility deep dive. These have working setups

This is not production network. I've built the lab to practice ISE and for this, I started with fresh install and followed steps 1 by 1 and don't want to use the wizard, even if that was the solution, for now only to get a deep understanding of what is happening.

I wonder why this simple thing should be such a cumbersome task. Do you have any idea about this message (certificate generation failed)? I actually have created a separate post for my issue which has screenshot of the configs at here: https://communities.cisco.com/thread/92886

I am looking for if you have a basic BYOD setup working first and then move forward with that. I will also reach out to our SME to see if he has a working setup for EST on 2.4

Thank u. I appreciate that. I just wonder why EST-related stuff hasn't be documented on Cisco ISE admin guide and Cisco Press books or even 3rd party videos?! It's interesting!

We tested it at our alpha yesterday.

Could you share the results and findings?

I read somewhere that EST is irrelevant while SCEP is in place. I'm using SCEP, as stated in the official guides and books. Could you confirm this please?