Problem:

During the Android BYOD Supplication Provisioning Flow, the Network Setup Assistance displays the error “Certificate Generation Failed”

Cause:

Starting in Identity Services Engine (ISE) 2.2, Enrollment over Secure Transport (EST) was made externally available per RFC 7030. In section 3.3.1 of the RFC, it states “TLS server authentication with certificates MUST be supported.  During the Android BYOD flow, an EST server authentication is performed for the Certificate Signing Request sent by the client device. This request is visible in the RADIUS Live logs if the Network Device Filter is set to ISE_EST_Local_Host

Quick Facts about EST on ISE:

• EST uses port 8084; the redirect ACL must permit this port to ISE.
• A Network Access Device named ISE_EST_Local_Host was added to the network device list. This device is hidden in the ISE Administration GUI
• User is prompted for their Network Password during the EST phase of the onboarding process.
• Android versions 6 and above natively use EST for onboarding. More devices may EST in the future

Solution:

The solution below is broken down into two sections, policy set view (default in ISE 2.3+) and standard view. Some steps outlined below may not be required to resolve this issue.

ISE Deployments using Policy Sets:

Create New Allowed Protocols

Note: If you are using the default policies and don't want to separate them you can bypass this step.

1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols
2. Select New
3. Under Authentication Protocols, enable “Allow PAP/ASCII”

 Create New Policy Set

1. Navigate to Policy > Policy Sets
2. Create new Policy Set. This Policy Set will be dedicated to the EST Authentication and not allow any other authentications.
3. Enter desired name and click the “+” to open the Conditions Studio.
4. Input the following Conditions as an OR statement

              1. Cisco: cisco-av-pair Equals est-csr-request=true

                                                       OR

              2. Network Access: NetworkDeviceName Equals ISE_EST_Local_Host

       5. Under the Allow Protocols Column, select the Allowed Protocols option created in Step 1 Above. Once set, click Save.

 Configure Policy Set Permission

1. Open the Newly created Policy Set.
2. Under the Authentication Policy, ensure the Default Policy is set to All User ID stores
3. Under the Authorization Policy, configure the default policy to Permit Access
4. Click Save to write the policy to the database.

ISE Deployments without Policy Sets

Create New Allowed Protocols

1. Navigate to Policy > Policy Elements > Results > Authentication > Allowed Protocols
2. Select New
3. Under Authentication Protocols, enable “Allow PAP/ASCII”

 Create Authentication Policy

1. Navigate to Policy > Authentication Policy
2. Create Authentication Policy with the following OR Conditions

            1.Cisco: cisco-av-pair Equals est-csr-request=true

                                                     OR

            2. Network Access: NetworkDeviceName Equals ISE_EST_Local_Host

            3. Set Identity Store to All_User_ID_Stores

            4. Set Allowed Protocols to EST_Android_Authentication

Create Authorization Policy

1. Navigate to Policy > Authorization Policy
2. Create Authorization Policy to Match on the same Authentication conditions

             1. Cisco: cisco-av-pair Equals est-csr-request=true

                                                     OR

             2. Network Access: NetworkDeviceName Equals ISE_EST_Local_Host

             3. Set Permission to Permit Access

             4. Click Save to write the configuration.

Note: If the error “Certificate Generation Failed” is still shown after making the above configuration changes, make sure the redirect ACL used for the flow allows traffic over TCP port 8084 to the ISE Policy Node(s).

Video Walkthrough available at ISE 2.2 Android Provisioning with EST Authentication (Certificate Generation Failed)

Troubleshooting

If the certificate provisioning flow fails with the policy configuration above. Please navigate to the Downloads folder on the Android device and collect the files spw.log and estlog.txt. These two logs are generated on newer Android devices to assist in diagnosing issues during the flow. Please provide these two log files to TAC if a case is opened.

Known Issue: EST Service Not Running

Android devices utilize the  Enrollment of Secure Transport (EST) service on ISE. If the service is not running, certificate generation will fail. The following warning from estlog.txt is indicative that the service on ISE is not running.

***EST [WARNING][est_client_connect:2217]-->

Unable to connect to EST server at address ise-policy.company.com

Connect to the CLI of the Policy node and issue the command "show application status ise" and validate the EST service is running.

admin# show application status ise

ISE PROCESS NAME STATE PROCESS ID
--------------------------------------------------------------------
Database Listener running 10117
Database Server running 93 PROCESSES
Application Server running 15401
Profiler Database running 11871
ISE Indexing Engine running 16828
AD Connector running 18666
M&T Session Database running 11773
M&T Log Collector running 15544
M&T Log Processor running 15452
Certificate Authority Service running 18436
EST Service running 22732
SXP Engine Service disabled
Docker Daemon running 17563
TC-NAC Service disabled

If the EST service is not running, enter the command "application start ISE" or reload the server. If the service does not move to a running state, you may be hitting a known bug documented in the Caveats section below. Please open a TAC case for assistance.

Open Caveats

CSCvm62783 - 'EST-CSR-Request' dictionary condition does not work  Impacted version: 2.4

CSCvj11319 - ISE 2.4 - EST Service not running after upgrade from 2.3