Solved: Re: Error 400 with Guest Portal Redirection

NETAD · ‎04-15-2019

Hello, I have a 2 node deployment and I'm trying to redirect to a custom URL for the guest portal. I'm doing this by check the check box for static redirection in the authz profile. When that's configured redirection isn't working all the time. Clients are sometimes are getting an error 400 with a message stating that that the radius server terminated the session. How can this be fixed please. I have ISE 2.4 with patch 6 installed.

Timothy Abbott · ‎04-15-2019

Since it is an intermittent issue, I recommend working with the TAC to troubleshoot further.

Regards,

-Tim

View solution in original post

Arne Bier · ‎04-16-2019

You need two of these AuthZ profiles. One returning a static FQDN for ise01 and one returing static FQDN for ise02

Remember that each PSN gets the same programming from the PAN. So to make the PSN "self-aware" you need to create a AuthZ Policy Set Authorization rule as such (the ISE hostname is typically the Gig0 hostname or if the portal is running on another interface you can alias the hostname too)

View solution in original post

Timothy Abbott · ‎04-15-2019

Since it is an intermittent issue, I recommend working with the TAC to troubleshoot further.

Regards,

-Tim

Arne Bier · ‎04-15-2019

can you share a screenshot of your AuthZ Rules and results? Do you test which PSN is processing the radius request and then return the appropriate Authorization profiles?

What do the DNS entries look like for the FQDNs in those Authorization Profiles?

NETAD · ‎04-15-2019

Thanks for the replies. The DNS entries are configured to round robin between the 2 nodes. Attached is the Authz profile. How do I see which ISE server is handling the request?

Arne Bier · ‎04-16-2019

You need two of these AuthZ profiles. One returning a static FQDN for ise01 and one returing static FQDN for ise02

Remember that each PSN gets the same programming from the PAN. So to make the PSN "self-aware" you need to create a AuthZ Policy Set Authorization rule as such (the ISE hostname is typically the Gig0 hostname or if the portal is running on another interface you can alias the hostname too)

NETAD · ‎04-16-2019

This was the solution. I had to create Authz policies for each ISE node calling their hostname. Now this caused a cert warning since I'm redirecting to the IP and it's not on the cert. I'm asking now if I can add the IPs to the SAN entries. Is there another way around this or we must update the cert?

Arne Bier · ‎04-16-2019

You should be redirecting to the FDQN instead. Of course this presumes that you have those FQDNs in your DNS :-)

Redirecting to an IP is not ideal - would look a bit suspect in the client's browser :-( - and adding them to cert would fix it but it's just compounding the issue.

rather add DNS entries for each ISE node, and then add the DNS entries in the SAN of the cert. You can re-use the same cert on both ISE nodes (or create one per PSN - but doesn't matter which option - if it comes from a public CA then one cert containing two SAN entries will be cheaper than buying two separate certs). A wildcard cert would also work, but those are more expensive.

NETAD · ‎04-16-2019

I actually have installed a wildcard cert. I will try to forward to the fqdn instead.

NETAD · ‎04-17-2019

Hi Arne, should it be 2 different dns records for each node guest portal and reference those in the static redirection box?

paul · ‎04-17-2019

If you are using the actual FQDNs of the ISE PSNs in the guest redirect URL you only need one redirect rule as ISE automatically puts the FQDN of the node in the URL. If you are hiding the real FQDNs with names like guest1.mycompany.com and guest2.mycompany.com then you will need DNS entries for each PSN with the fake names and you will need a rule for each PSN that redirects to the fake name, i.e. if authenticated by PSN1 then redirect to guest1.mycompany.com.

NETAD · ‎04-17-2019

Yes you're right. This broke again when I redirected to one dns record that resolves to both nodes IP's. I'm about to create new ones. One question for you please Paul, where do I find the ifauthenticated attribute in ISE 2.4?

paul · ‎04-17-2019

Here you go. Just match on the hostname only not the FQDN:

NETAD · ‎04-17-2019

Attached is what I have so far.

NETAD · ‎04-23-2019

Hello after redirecting the 2 different A records, it worked for couple days and then we got the error 400 again. Any other suggestions you recommend me trying?

brennosalgeiro · ‎02-01-2024

We are having this same issue, did you have any progress? (We have an open TAC case)