Security

last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Profile Could not be Decrypted Error during iOS Onboarding

  • 1.  Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 10:44 AM

    I am running into an issue with a new ClearPass Onboard deployment where iOS devices are failing to install the Device Enrollment profile during onboarding.  The error message they get is: "Profile Installation Failed / Profile could not be decrypted".

     

    I noticed in the Clearpass 6.0.2 release notes that there was an issue similar to this (Bug ID 11978) that was fixed in 6.0.2.  I am running 6.0.2 with all available patches installed. 

     

    Any idea what could be causing this?

     

    Thanks!

     



  • 2.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 01:25 PM

    That usually is either

     

    1. An authentication issue (look in the access tracker or in the CPGuest side Administration » Support » Application Log)
    2. Or you are using a self-signed cert and are using HTTPs instead of HTTP.

     

    What wireless vendor are you using?

     

     



  • 3.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 01:33 PM

    Using Aruba controller and APs.  The Onboard Authorization check appears to go through, there are no failures in Access Tracker. ClearPass has a public SSL cert from GoDaddy installed (chained with the intermediate CA cert).  

     

    Windows and Android devices are able to onboard fine. 

     



  • 4.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 01:40 PM

    What is in the application logs in the CPGuest side? You can go into the plugins and turn on debug for onboarding. 



  • 5.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 02:01 PM
      |   view attached

    I do not see anything glaring.  It ends with: Onboard Access [id/1/6/profile]: Phase 2 - Receive SCEP - Get CA Certificate

     

    See attached



  • 6.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 02:04 PM

    Here is the output from the iPad console:

     

    Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Decryption failed: NSError:
    	Desc   : Profile could not be decrypted
    	Sugg   : Decryption key for this profile is not installed.
    	US Desc: Profile could not be decrypted
    	US Sugg: Decryption key for this profile is not installed.
    	Domain : MCProfileErrorDomain
    	Code   : 1006
    	Type   : MCFatalError
    Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
    	Desc   : Profile could not be decrypted
    	Sugg   : Decryption key for this profile is not installed.
    	US Desc: Profile could not be decrypted
    	US Sugg: Decryption key for this profile is not installed.
    	Domain : MCProfileErrorDomain
    	Code   : 1006
    	Type   : MCFatalError
    Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
    	Desc   : Profile could not be decrypted
    	Sugg   : Decryption key for this profile is not installed.
    	US Desc: Profile could not be decrypted
    	US Sugg: Decryption key for this profile is not installed.
    	Domain : MCProfileErrorDomain
    	Code   : 1006
    	Type   : MCFatalError
    Apr  9 13:05:42 iPad-Mini profiled[6911] <Notice>: (Error) MC: Installation failed. Error: NSError:
    	Desc   : Profile Installation Failed
    	Sugg   : Profile could not be decrypted
    	US Desc: Profile Installation Failed
    	US Sugg: Profile could not be decrypted
    	Domain : MCInstallationErrorDomain
    	Code   : 4001
    	Type   : MCFatalError
    	...Underlying error:
    	NSError:
    	Desc   : Profile could not be decrypted
    	Sugg   : Decryption key for this profile is not installed.
    	US Desc: Profile could not be decrypted
    	US Sugg: Decryption key for this profile is not installed.
    	Domain : MCProfileErrorDomain
    	Code   : 1006
    	Type   : MCFatalError
    	Extra info:
    	{
    	    isPrimary = 1;
    	}

     



  • 7.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 09, 2013 02:08 PM

    IOS is very picky about certs so you need to make sure you have the certs combined in the CPPM. I know go daddy has 3 or 4 intermediates so make sure you have th right one. you can email yourself the certs and import them directly into the ipad 1 at a time until you find the issue. 

     

    Certs

     

     



  • 8.  RE: Profile Could not be Decrypted Error during iOS Onboarding

    Posted Apr 15, 2013 10:23 AM

    Just wanted to follow up on this thread incase anyone else is running into this issue.  I opened a case with TAC and they said this error is due to the GoDaddy root CA cert having no CN.  This issue should be resolved in the next patch release for ClearPass later this month.  (Bug ID: 13242)

     

    Thanks for your help!