cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6932
Views
0
Helpful
9
Replies

How to retrieve spw.log file on Android device

eric.zhang11
Level 1
Level 1

Hi guys,

I came across a new error on Android devices yesterday, “Certificate generation failed.”. I tried on four different devices so far, Samsung tablet, Lazer tablet, Google Nexus 9 and Google Nexus 5X. They are running three different version of Android as well, 4.4.2, 4.4.4 and 7.1.1. Certificate generation failed on all of them.

Cisco Network Setup Assistant app version: 2.2.0.52

The live log of individual device on ISE seems OK. I wanted to have a look at the spw log file. Cisco Support website says “Enter the /sdcards/downloads/spw.log command in order to view the client-side logs for Android applications. ” How can I retrieve the spw.log file on them? Do I need to use a Android developer tool to capture the log?

Thanks,

Eric

9 Replies 9

quintonh
Level 1
Level 1

Started happening here too. Been working fine up to now. Get yourself a file manager app in the Google play store and install it on your Android phone. Launch the app and then navigate to the directory  "/sdcards/downloads/spw.log". You can view the log there or mail it. Here's the error:

2017.01.19 07:24:33 INFO:ISEDownloadProfileAsynchTask.onPostExecute :PASSED
2017.01.19 07:24:33 INFO:Making SCEP call
2017.01.19 07:24:33 INFO:Generating RSA key with key size: 2048
2017.01.19 07:24:34 INFO:SPW profile is having certificate parameters
2017.01.19 07:24:34 ERROR:Cert call
2017.01.19 07:24:34 ERROR:javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2017.01.19 07:24:34 ERROR:Unable to download certificate XXXXXXX 0b004900030d4ea534c8058
2017.01.19 07:24:34 INFO:Internal system error.
2017.01.19 07:24:38 INFO:Deleted certs from sdcard

Certificates are all signed by a publically trusted CA. I verified the certificate chain on the device. No issues. It's only affecting Androids using the Cisco Network Assistant app. iPhones and Mac books continue to work - i.e. the native supplicant is fine.

Thanks heaps for your help. I managed to get the spw.log file off my Nexus 5x phone. I found the same error in the log file, "Trust anchor for certification path not found.".

sadashivpalde
Level 1
Level 1

Hello,

We are also facing same issue for Android user's. Windows, MAC and iPhones are working fine.

Please let me know if you are able to resolve the issue.

Note: It was working before, but from last one week we are facing this issue.

Thanks,

Sadashiv

Technically I managed to get it to work on Androids. The issue seems to be with how ISE provisions the Android device and what certificate is used. My systems certificates are as follows:

Portal certificate: Signed by a public CA

EAP certificate: Signed by a public CA

Admin certificate: Signed by our internal CA

In some way the admin certificate is presented along with the provisioning profile (mobile-tls) during provisioning. Naturally Android will reject the admin certificate due to the fact that it is signed by a CA that it does not trust - i.e. our internal CA. Provisioing works when I installed our internal CA's public certificates on the phones. This is not an ideal solution of course and does not scale well.

Same here. Once we manually imported the Root and intermediate certificates into an Android device and trusted them, on-boarding with the new NSA app is fine. However this is not an acceptable workaround.

We have already logged a job with Cisco TAC and try to get the .apk file of the old version of NSA. Their response is very slow.

Cisco has released new version of NSA 2.2.0.53 on 27th Jan; need to check how it works.

Thanks. I just tried the latest version and it is still not working. Same error “Certificate generation failed."

Cisco has released new version of NSA(v2.2.0.54) for android and we have successfully tested on couple of endpoints.

In the redirect ACL you must permit access to the PSN ISE server by the 8443 port.

I have all this to allow access Google Play:

*.clients.google.com

play.google.com

clients.google.com

*ggpht.com

*.gght.com

*.store.google.com

*.google.com

*.l.google.com

*.googleusercontent.com

Also you can check in your endpoint the file SPW.log to view where it fails  (/sdcards/downloads/spw.log).