Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5742
Views
1
Helpful
24
Replies

ISE BYOD: certificate generation failed

ciscoworlds
Level 4
Level 4

‎06-26-2018 03:47 AM

Hi.

I followed the directions stated on the Youtube link "ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed) - YouTube" but despite the mentioned configuration, again I get the same "Certificate Generation Failed" message during BYOD onboarding with single-SSID on my test Android 7.0 device. Also I'm using ISE 2.4 patch 1.

AS seen I've created a new condition and used it in a new Authz rule and put it before other rules. But I got no match hint and the same error message was and is still there!

ise7.png

I have a firewall between clients and ISE server, but permitted all traffic from those clients destined everywhere; So it could not be considered a firewall-related issue.

How can I fix this? And I don't understand why this is necessary? I've not seen such recommendation or configuration on regular admin guides, videos or even on Cisco press books!

Thanks in advanced.

1 person had this problem
24 Replies 24

hslai
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎06-30-2018 06:45 AM

Looking at your Android screenshot again, it says the certificate is only valid for 1.1.1.1. Although no longer a recommended value for WLC virtual interface, 1.1.1.1 is likely what your WLC has for its virtual interface. If so, then it's an indication that the WLC ACL is not allowing the connection to play.google.com and that the WLC is enabled for HTTPS redirection.

If this is not helping, please engage Cisco TAC to troubleshoot further.

0 Helpful

ciscoworlds
Level 4
Level 4
In response to hslai

‎06-30-2018 08:58 AM

I have 2 different ACLs on WLC, one for Android and one for iOS. (My ISE IP address is 10.1.204.168).

wlc3.png

The only difference between 2 of them is URLs. Based on the docs I enabled HTTPS redirect on WLC. Shouldn't it be that way?

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎06-30-2018 05:09 PM

The thing with Android ACL is that it keeps changing. I do not think your DNS ACL really working. Unfortunately, the one worked in our alpha network 1.5 years ago is no longer working to access Android Play store.

It would be easier to restrict the internal network access but to allow Internet or use a separate network to download the Cisco NSW app from the store.

Here is an ACL to restrict internal access from one of our test setups, where the internal network is 10.0.0.0/8, DNS is 10.1.100.10, and ISE 10.1.100.21:

(Cisco Controller) >show acl detailed PERMIT-Internet

                      Source                        Destination                Source Port  Dest Port

Index  Dir      IP Address/Netmask              IP Address/Netmask      Prot    Range      Range    DSCP  Action      Counter

------ --- ------------------------------- ------------------------------- ---- ----------- ----------- ----- ------- -----------

    1  In        0.0.0.0/0.0.0.0            10.1.100.10/255.255.255.255  17    0-65535    53-53    Any Permit         207

    2  In        0.0.0.0/0.0.0.0            10.1.100.21/255.255.255.255  Any   0-65535    0-65535  Any Permit        1586

    3  In        0.0.0.0/0.0.0.0                0.0.0.0/0.0.0.0           1    0-65535    0-65535  Any Permit           0

    4  In        0.0.0.0/0.0.0.0                10.0.0.0/255.0.0.0       Any   0-65535    0-65535  Any  Deny           43

    5 Any        0.0.0.0/0.0.0.0                0.0.0.0/0.0.0.0          Any   0-65535    0-65535  Any Permit       34780

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎06-30-2018 07:44 PM

Following Hosuk's Using DNS-Based ACL for Chromebooks and Android Devices, it's working for my Nexus 5X/Android 8.1 on a WLC 5520 running AireOS 8.5.131.0 and AP 2702i.


Earlier it was not working on vWLC running 8.0.120.0, due to CSCus61445.

0 Helpful

ciscoworlds
Level 4
Level 4
In response to hslai

‎07-04-2018 03:47 AM

I pinged the various Google sites and created ACL entries on the WLC with those IP addresses and again it didn't work.

I tested on my iPAD, this time with Safari browser instead of Firefox, and this time I redirected a little further. It asked me to install a profile and after I accept the prompt, it installed the root CA, but it asked me to install the profile second time, but at this point I got an error message like this.

IMG_0118.PNG

you can see that my root CA certificate has been verified at the first step. but the 2nd step failed.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎07-04-2018 08:57 AM

Since your domain is .local, I believe either your root CA is a private enterprise PKI or the server certificate is self-signed. In that case, please read how to Trust manually installed certificate profiles in iOS - Apple Support.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to ciscoworlds

‎07-04-2018 12:10 PM

For Google Android, I would suggest you to try the ACL PERMIT-Internet that I posted in comment 14. Or, get the NSW app first using another WLAN or some other means.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to hslai

‎07-04-2018 03:16 PM

I just worked with someone who had .local and apple doesn’t like that even if you manually install cert

You Will need to move away from using the TLD of .local

0 Helpful

ciscoworlds
Level 4
Level 4
In response to Jason Kunst

‎08-10-2018 12:34 AM

I rebuilt my domain and used .com TLD this time. But the situation is the same. No success!
0 Helpful

Ruelb2214
Level 1
Level 1

‎06-18-2024 03:28 AM

Hi @ciscoworlds

were you able to solve the issue?

I have the same issue with ISE v3.2p4 using WLC 3500 v8.10.

 

0 Helpful
Customers Also Viewed These Support Documents