ClearPass & MobileIron – Error: not well-formed (invalid token)
This post isn’t going to describe what HPE Aruba ClearPass or MobileIron is. And neither will it describe the configuration steps necessary to add MobileIron to ClearPass, but I will give a short summary:
- Add the MobileIron VSP to ClearPass as Endpoint Context Server (CPPM – Administration – External Servers);
- The account on MobileIron needs API rights to enable ClearPass to retrieve information from MobileIron;
This post tells a bit more about an error message I suddenly started to receive in the CPPM Eventy Viewer.
Error: not well-formed (invalid token)
I checked the internet, but I couldn’t find any useful information. I opened a TAC case to look into this error. The TAC engineer told me he had seen this error before, where MobileIron sends invalid token characters to ClearPass. He told me that CPPM does batch processing of the devices and the entire batch fails when CPPM doesn’t understand special characters. He also told me how to see which device is causing the problem.
You have to collect the CPPM logs (CPPM – Administration – Server Manager – Server Configuration – Collect Logs). After you untar the tar.gz file, you should look at the directory “strange string”\PolicyManagerLogs\mdm\MI\mdm-server and you should open the file 0.xml.bak.
Scroll down to the line mentioned in the error message and you will see something like below. I always use Notepad++ to open the file.
CPPM doesn’t understand these special characters in the key. When you start scrolling up, you can determine which device in MobileIron triggers the error message in CPPM.
After I found the device in MobileIron I checked every setting on the device to find the special character, but I couldn’t find one. In the end there was only one solution for me: retire the device. This basically means remove the device from MobileIron and the user needs to reprovision the device in MobileIron. The sync between CPPM en MobileIron was successful again after I retired the device.
Tip of the week: I guess you aren’t always looking at the Event Viewer for errors, so maybe it is useful to configure ClearPass Insight to send a notification if a System Error Event occurs!!!
Latest posts by René Jorissen (see all)
- MacOS Big Sur and SSLKEYFILELOG - November 23, 2021
- ClearPass, Azure AD, SSO and Object ID - August 12, 2021
- ClearPass – custom MPSK - July 20, 2021
You saved my day (what..? no you saved my month) !
After a MobileIron update we experienced the same issues.
Your blog pointed me to the solution direction.
Great find, Thank you! One comment- my line error was not in 0.xml. I had to scrub through 7 XML files, but eventually found the special character on the line number in the event viewer.