I understand that Cisco ACS is no longer a supported product, and we are in the process of installing and migrating over to Cisco ISE. However, we have been facing an issue whereby we are unable to get any Android 11+ devices connected to our network, even after supplying our certificates to the device.

From looking at logcat (from the Android device) we get the following error messages:

I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=US/O=DigiCert, Inc./CN=DigiCert QV TLS ICA G1' hash=*Redacted*
I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=GB/L=Birmingham/O=Aston University/CN=*Redacted - This is our Radius Server*' hash=*Redacted*
I wpa_supplicant: wlan0: CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:*Redacted - This is our Radius Server*

W wpa_supplicant: TLS: Certificate verification failed, error 2 (unable to get issuer certificate) depth 1 for '/C=US/O=DigiCert, Inc./CN=DigiCert QV TLS ICA G1'
I wpa_supplicant: wlan0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=1 depth=1 subject='/C=US/O=DigiCert, Inc./CN=DigiCert QV TLS ICA G1' err='unable to get issuer certificate'
I wpa_supplicant: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA

Has anyone else experienced this, and be able to suggest a resolution? Every other device in our environment is happy with the provided certificate chain, but Android doesn't seem to like it.

The Authentication method is:

PEAP

MSCHAPv2