topic I am experiencing the exact in Network Access Control

[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data.

moosas001 — Mon, 11 Mar 2019 06:46:22 GMT

Hi,

Cisco ise giving the following error when users are trying to connect guest portal page

"Possible cause is unknown, invalid, or terminated RADIUS session ID. Please advise the System Admin to consult the logs and ensure that the RADIUS session was not generated by a different PSN or due to a deny access policy match ."

Cisco Identity Services Engine
---------------------------------------------
Version : 2.0.0.306

Engine patch version 3.0

How to solve this issue

Thanks

I am experiencing the exact

Jeff Okragly — Mon, 01 Aug 2016 14:22:11 GMT

I am experiencing the exact same error. I am running the same Version and HF as well. Did you ever find a solution to this? Looking to something to track down and the Live Radius Logs are showing it.

Not sure if this will help...

James Johnston — Mon, 01 Aug 2016 14:57:41 GMT

Not sure if this will help...

We were having the same issue when guest users were redirected to the quest portal. What was happening in our environment was that we implemented a wildcard SSL certificate so that user's wouldn't get the "unsecure connection" warning when they were presented with our internal CA certificates.

In order to do this, we had to change the URL presented to users; which was different than the FQDN of the ISE hosts (2 different domains). At first we were doing Round Robin DNS to perform this.

This was our issue. Upon the guest user's first connection to the open SSID, the WLC and ISE would talk between each other (WLC <--> PSN 1). However, when user's were authorized and redirected to the portal it would be a different node (User <--> PSN 3). This meant the session IDs were different and thus user's would get that error.

This is what TAC had us perform to fix the issue:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

The only down side is that the PSNs aren't really "load balanced" all clients will be directed to a single PSN until that PSN goes down. Then all requests will go to the next PSN in the cluster.

Hope that helps.

This is interesting. I to

Jeff Okragly — Mon, 01 Aug 2016 18:20:08 GMT

This is interesting. I to have a public wildcard SSL Cert applied so that users don't get the cert error page. However I am not load balancing via DNS, I am simply calling the hostname.

xxx@123.com and yyy@123.com

My WLC SSID is set to use authentication and accounting of PSN1 and PSN2 is slotted as backup just how my deployment is on my ISE Nodes as well. I am hoping all traffic is hitting just one of the PSN and the other is just idol stanby.

Your issue may be different

James Johnston — Mon, 01 Aug 2016 23:08:25 GMT

Your issue may be different than mine; but one thing you may try is shutting down your second PSN and taking it out of the WLC. Then maybe have users try authenticating?

We just implemented ISE in our environment with the help of an IT consultant. So not sure what else could be going on.