Security

Reply
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Profile Could not be Decrypted Error during iOS Onboarding

I am running into an issue with a new ClearPass Onboard deployment where iOS devices are failing to install the Device Enrollment profile during onboarding.  The error message they get is: "Profile Installation Failed / Profile could not be decrypted".

 

I noticed in the Clearpass 6.0.2 release notes that there was an issue similar to this (Bug ID 11978) that was fixed in 6.0.2.  I am running 6.0.2 with all available patches installed. 

 

Any idea what could be causing this?

 

Thanks!

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Profile Could not be Decrypted Error during iOS Onboarding

That usually is either

 

1. An authentication issue (look in the access tracker or in the CPGuest side Administration » Support » Application Log)
2. Or you are using a self-signed cert and are using HTTPs instead of HTTP.

 

What wireless vendor are you using?

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Profile Could not be Decrypted Error during iOS Onboarding

Using Aruba controller and APs.  The Onboard Authorization check appears to go through, there are no failures in Access Tracker. ClearPass has a public SSL cert from GoDaddy installed (chained with the intermediate CA cert).  

 

Windows and Android devices are able to onboard fine. 

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Profile Could not be Decrypted Error during iOS Onboarding

What is in the application logs in the CPGuest side? You can go into the plugins and turn on debug for onboarding. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Profile Could not be Decrypted Error during iOS Onboarding

I do not see anything glaring.  It ends with: Onboard Access [id/1/6/profile]: Phase 2 - Receive SCEP - Get CA Certificate

 

See attached

Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Profile Could not be Decrypted Error during iOS Onboarding

Here is the output from the iPad console:

 

Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Decryption failed: NSError:
	Desc   : Profile could not be decrypted
	Sugg   : Decryption key for this profile is not installed.
	US Desc: Profile could not be decrypted
	US Sugg: Decryption key for this profile is not installed.
	Domain : MCProfileErrorDomain
	Code   : 1006
	Type   : MCFatalError
Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
	Desc   : Profile could not be decrypted
	Sugg   : Decryption key for this profile is not installed.
	US Desc: Profile could not be decrypted
	US Sugg: Decryption key for this profile is not installed.
	Domain : MCProfileErrorDomain
	Code   : 1006
	Type   : MCFatalError
Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
	Desc   : Profile could not be decrypted
	Sugg   : Decryption key for this profile is not installed.
	US Desc: Profile could not be decrypted
	US Sugg: Decryption key for this profile is not installed.
	Domain : MCProfileErrorDomain
	Code   : 1006
	Type   : MCFatalError
Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Installation failed. Error: NSError:
	Desc   : Profile Installation Failed
	Sugg   : Profile could not be decrypted
	US Desc: Profile Installation Failed
	US Sugg: Profile could not be decrypted
	Domain : MCInstallationErrorDomain
	Code   : 4001
	Type   : MCFatalError
	...Underlying error:
	NSError:
	Desc   : Profile could not be decrypted
	Sugg   : Decryption key for this profile is not installed.
	US Desc: Profile could not be decrypted
	US Sugg: Decryption key for this profile is not installed.
	Domain : MCProfileErrorDomain
	Code   : 1006
	Type   : MCFatalError
	Extra info:
	{
	    isPrimary = 1;
	}

 

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: Profile Could not be Decrypted Error during iOS Onboarding

IOS is very picky about certs so you need to make sure you have the certs combined in the CPPM. I know go daddy has 3 or 4 intermediates so make sure you have th right one. you can email yourself the certs and import them directly into the ipad 1 at a time until you find the issue. 

 

Certs

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 83
Registered: ‎06-27-2007

Re: Profile Could not be Decrypted Error during iOS Onboarding

Just wanted to follow up on this thread incase anyone else is running into this issue.  I opened a case with TAC and they said this error is due to the GoDaddy root CA cert having no CN.  This issue should be resolved in the next patch release for ClearPass later this month.  (Bug ID: 13242)

 

Thanks for your help!

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: