topic Re: Error 400 with Guest Portal Redirection in Network Access Control

Error 400 with Guest Portal Redirection

NETAD — Mon, 15 Apr 2019 13:17:34 GMT

Hello, I have a 2 node deployment and I'm trying to redirect to a custom URL for the guest portal. I'm doing this by check the check box for static redirection in the authz profile. When that's configured redirection isn't working all the time. Clients are sometimes are getting an error 400 with a message stating that that the radius server terminated the session. How can this be fixed please. I have ISE 2.4 with patch 6 installed.

Re: Error 400 with Guest Portal Redirection

Timothy Abbott — Mon, 15 Apr 2019 15:16:11 GMT

Since it is an intermittent issue, I recommend working with the TAC to troubleshoot further.

Regards,

-Tim

Re: Error 400 with Guest Portal Redirection

Arne Bier — Mon, 15 Apr 2019 21:52:45 GMT

can you share a screenshot of your AuthZ Rules and results? Do you test which PSN is processing the radius request and then return the appropriate Authorization profiles?

What do the DNS entries look like for the FQDNs in those Authorization Profiles?

Re: Error 400 with Guest Portal Redirection

NETAD — Mon, 15 Apr 2019 23:00:31 GMT

Thanks for the replies. The DNS entries are configured to round robin between the 2 nodes. Attached is the Authz profile. How do I see which ISE server is handling the request?

Re: Error 400 with Guest Portal Redirection

Arne Bier — Tue, 16 Apr 2019 21:49:48 GMT

You need two of these AuthZ profiles. One returning a static FQDN for ise01 and one returing static FQDN for ise02

Remember that each PSN gets the same programming from the PAN. So to make the PSN "self-aware" you need to create a AuthZ Policy Set Authorization rule as such (the ISE hostname is typically the Gig0 hostname or if the portal is running on another interface you can alias the hostname too)

Re: Error 400 with Guest Portal Redirection

NETAD — Tue, 16 Apr 2019 22:18:02 GMT

This was the solution. I had to create Authz policies for each ISE node calling their hostname. Now this caused a cert warning since I'm redirecting to the IP and it's not on the cert. I'm asking now if I can add the IPs to the SAN entries. Is there another way around this or we must update the cert?

Re: Error 400 with Guest Portal Redirection

Arne Bier — Wed, 17 Apr 2019 04:29:18 GMT

You should be redirecting to the FDQN instead. Of course this presumes that you have those FQDNs in your DNS 🙂

Redirecting to an IP is not ideal - would look a bit suspect in the client's browser 😞 - and adding them to cert would fix it but it's just compounding the issue.

rather add DNS entries for each ISE node, and then add the DNS entries in the SAN of the cert. You can re-use the same cert on both ISE nodes (or create one per PSN - but doesn't matter which option - if it comes from a public CA then one cert containing two SAN entries will be cheaper than buying two separate certs). A wildcard cert would also work, but those are more expensive.

Re: Error 400 with Guest Portal Redirection

NETAD — Wed, 17 Apr 2019 04:41:37 GMT

I actually have installed a wildcard cert. I will try to forward to the fqdn instead.

Re: Error 400 with Guest Portal Redirection

NETAD — Wed, 17 Apr 2019 16:00:01 GMT

Hi Arne, should it be 2 different dns records for each node guest portal and reference those in the static redirection box?

Re: Error 400 with Guest Portal Redirection

paul — Wed, 17 Apr 2019 17:59:40 GMT

If you are using the actual FQDNs of the ISE PSNs in the guest redirect URL you only need one redirect rule as ISE automatically puts the FQDN of the node in the URL. If you are hiding the real FQDNs with names like guest1.mycompany.com and guest2.mycompany.com then you will need DNS entries for each PSN with the fake names and you will need a rule for each PSN that redirects to the fake name, i.e. if authenticated by PSN1 then redirect to guest1.mycompany.com.

Re: Error 400 with Guest Portal Redirection

NETAD — Wed, 17 Apr 2019 18:49:31 GMT

Yes you're right. This broke again when I redirected to one dns record that resolves to both nodes IP's. I'm about to create new ones. One question for you please Paul, where do I find the ifauthenticated attribute in ISE 2.4?

Re: Error 400 with Guest Portal Redirection

paul — Wed, 17 Apr 2019 18:54:13 GMT

Here you go. Just match on the hostname only not the FQDN:

Re: Error 400 with Guest Portal Redirection

NETAD — Wed, 17 Apr 2019 19:09:18 GMT

Attached is what I have so far.

Re: Error 400 with Guest Portal Redirection

NETAD — Tue, 23 Apr 2019 19:49:59 GMT

Hello after redirecting the 2 different A records, it worked for couple days and then we got the error 400 again. Any other suggestions you recommend me trying?

Re: Error 400 with Guest Portal Redirection

brennosalgeiro — Thu, 01 Feb 2024 13:04:26 GMT

We are having this same issue, did you have any progress? (We have an open TAC case)

Re: Error 400 with Guest Portal Redirection

Brian Hanson — Tue, 21 May 2024 17:05:00 GMT

We've experienced this same issue as well, "[400] Bad Request" on our ISE Guest Web-Auth portal. We had separate Authz rules built in our Policy for each separate PSN, so that kind of ruled that out. I worked with TAC for two months on this. This issue was intermittent, so very difficult to t/s. It came down to re-creating the issue.

The issue/error seemed to come up, prior to Guest users hitting the "Accept" button ("Authenticating") on our Web-Auth page, if they had auto-reconnect enabled for our Guest SSID, and did not accept the AUP, this error would sometimes come up on their browser, seemingly randomly. If they swiped/closed the browser and relaunched the page, the error would go away and then they would get the AUP page in order to Authenticate.

Ultimately, the issue appears when roaming APs, we would see this in ISE EP Debugs: "PortalWebActionException: Session token validation failed. Token does not match token in the radius session."

Per the TAC Engineer, this is expected behavior, as when roaming APs, ISE gets new SessionID Token from AP, therefore the original URL redirect link is now invalid, causing the [400] Bad Request error.

"As you can see the error is that the token in the radius session is not matching the most probable reason is that roaming is happening on that session, so the tokens are different, which explains why the issue is not happening at all times. As it is an expected behavior there are no actions to take for now."

Hopefully this provides answers to others, but it still does not really resolve anything for us, as if reoccurring user enters our campus, associates to AP, auto-reconnect to Guest WLAN, then roams AP, will likely get the 400 Error. Just makes it an inconvenience to our visitors/guests, if they do not know to simply just re-launch the browser.