Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
686
Views
0
Helpful
3
Replies

Self registration Guest portal

Mateen Ahmad
Level 1
Level 1

‎09-18-2019 09:07 AM

Hello,

I have 2 ISE nodes Version 2.4, Running in Primary Admin and secondary Admin and PSN on both setup.

I am running Radius, TACACS+ and Guest services.

My Radius and Tacacs are working fine.

2 Issues I am facing in my guest setup

1.In Guest access self registration after  connecting on Guest SSID redirect URL is  giving error (400 bad request) on Guest client machine .

2. When I am doing Portal test URL traffic is redirecting to secondary server.

0 Helpful
3 Replies 3

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎09-18-2019 09:12 PM

Hi Mateen,


1. Are you getting a 302 redirect in response to initial GET request on client machine or you do get a 302 redirect with redirect URL but when the browser tries accessing that, it shows the error 400 bad request ?

 

2. ISE will decide which node to be presented for portal unless you statically define which node's IP to be used for guest services

 

Screenshot 2019-09-19 at 9.41.02 AM.png

 

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

RaffyLindogan
Spotlight
Spotlight

‎09-18-2019 10:41 PM

Hi mate,

 

What's the status that you see for the connection on the WLC.

Does it says WEBAUTH_REQD?

Do you see the redirect URL on that session on the WLC?

Can you share the live logs showing on ISE?

 

Regarding the other PSN handling the guest traffic, it is possible that:

 1. If you have configured on WLC primary and secondary AAA server, there was a recent disconnection to the primary which has triggered the traffic to failover the secondary. And RADIUS fallback option is not enabled.

 

 2. Could be an issue on the Authorization profile pointing to a 2nd FQDN.

 

 3. Could also be natting or firewall issues on the path basing from that error.

 

But again, it would be clearer if you can send the detailed logs on both ISE and WLC.

 

 

Cheers,

 

Raffy

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee

‎09-19-2019 04:06 PM

Check out the prescriptive guest guide under http://cs.co/ise-guest

The portal test URL will bring up the PSN with the lowest IP I believe. Is there a problem with that? You cant choose which PSN to look at.
0 Helpful
Customers Also Viewed These Support Documents