Security

Customer wanted to OnBoard company owned devices to do TLS authentication. I have ClearPass and the IAP cluster configured. OnBoard works successfully on Windows laptops, we have it working on 1 Macbook (took 4 hours of trying and didn't really change anything). 

Device connects to SSID-Secure (WPA2-Enterprise against AD) enters credentials, then put in pre-provisioning role (OnBoard captive portal), user logs in (against AD) and follows OnBoarding steps. 

When it tries to install the certificate we receive "Cannot decrypt encrypted profile" and it does not connect. 

I have debugging turned on in the OnBoard plugin, and the application logs do not show anything too strange, except a few re-sends of the phases. 

Any ideas why this may be happening? I'm close to calling TAC, but thought I would try this first.

This is while you trying to install the profile ?

Correct, we receive that error while installing the profile.

Testing now, will update shortly.

Thanks!

Customer purchased a SSL cert from DigiCert that we installed for RADIUS authentication and I am using that for the OnBoard certificate as well.

So it looks like with HTTP, we were able to install the profiles successfully. We had to manually disconnect and reconnect for the TLS authentication to succeed. We are going to test a few more devices just to verify.

Not sure how you can fix that with the an IAP but in the controller side of things , if you include the IP address of the controller (captive portal) it allows you do that.

It appears that using HTTP instead of HTTPS has resolved the profile installation issue. From a security perspective, the profile installation is unencrypted, but once that is complete and the TLS authentication takes place, that will be encrypted from that point correct?