Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
991
Views
5
Helpful
5
Replies

CIsco ISE protal redirection issue

Go to solution
Aqi Shah
Level 1
Level 1

‎11-13-2019 01:25 AM

i have issue yesturday we were redirected towords cisco ise sponsor guest portal and now it not redirecting we havent change in configuration checked each any everything but still same client are authenticated seccessfuly showing in radius log what chould be issue

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to Aqi Shah

‎11-13-2019 08:51 AM

Seen this error when the authentication was done by one PSN and the portal page request went to another PSN.
You can open the detailed authentication report and check the session ID and correspondingly which PSN served that authentication. The portal request needs to go that particular PSN only. If in case, the request goes to another PSN, you would see this error.
Please note that this is the most common scenario in which you would see this 400 Bad Request. There can be other reasons too (far too difficult to identify here; better thing would a TAC case).
Suggestion : Please make use of PSN node groups.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-13-2019 02:56 AM

I would suggest opening a TAC case for this. If you can explain the problem in detail and provide screenshots masking sensitive data, we may give pointers but there are generally too many variables involved when it comes to redirection and it would be best if you work with TAC to get this addressed.
0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee

‎11-13-2019 08:00 AM

Hi @Aqi Shah ,

 

Basic things to check:

 

1) Is the client getting an IP address (and not an APIPA address)? 

2) Is the switch seeing the IP address? (show authentication session interface x/y details)

3) Is the Client able to resolve the FQDN of the sponsor portal? (open cmd and try to do nslookup on the FQDN of the portal)

4) Is the Client able to reach the PSN (to which the FQDN is resolving to)? Try pinging from the client to the PSN, if ping is allowed in your network.

5) Is the Test URL option working for the sponsor portal?

6) Can you paste the FQDN of the sponsor portal in the URL of the client's browser and take captures on the PSN with the filter of the client's IP? Are you seeing any packets coming in?

7) Do you have any proxy or a firewall in the path, which could possible affect the traffic?

 

HTH

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Go to solution
Aqi Shah
Level 1
Level 1
In response to Anurag Sharma

‎11-13-2019 08:41 AM

1) yes clients are getting ip form FW defined DHCP Scope .

 

2) Is the switch seeing the IP address

ANS:- (YES).

 

3) Is the Client able to resolve the FQDN of the sponsor portal? (open cmd and try to do nslookup on the FQDN of the portal)

ANS:-actually we have configure cisco ise with 2 interface E1-10.0.a.b and E2-10.0.C.D, E1 is in internal subnet with local DNS entry uk.abcd.com.  and E2 is for guest directly connected with FW DHCP scope is defined over FW totally separate form internal network and client have not define any DNS entry of E2 interface even they don't want to  enter DNS entry in internal DNS due to security reasons so trying with only with IP.

 

4) Is the Test URL option working for the sponsor portal?

ANS:- yes we have tested guest client got ip after sponsor approve the request via email client got email with credentials.

 

5) Is the Client able to reach the PSN (to which the FQDN is resolving to)? Try pinging from the client to the PSN, if ping is allowed in your network.

ANS: yes PSN is 10.0.A.B with DNS uk.abcd.com 

 

6) Can you paste the FQDN of the sponsor portal in the URL of the client's browser and take captures on the PSN with the filter of the client's IP? Are you seeing any packets coming in?

ANS) result is attached

 

7) Do you have any proxy or a firewall in the path, which could possible affect the traffic?

ANS no 

Preview file
23 KB
0 Helpful

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to Aqi Shah

‎11-13-2019 08:51 AM

Seen this error when the authentication was done by one PSN and the portal page request went to another PSN.
You can open the detailed authentication report and check the session ID and correspondingly which PSN served that authentication. The portal request needs to go that particular PSN only. If in case, the request goes to another PSN, you would see this error.
Please note that this is the most common scenario in which you would see this 400 Bad Request. There can be other reasons too (far too difficult to identify here; better thing would a TAC case).
Suggestion : Please make use of PSN node groups.
Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
0 Helpful

Go to solution
Aqi Shah
Level 1
Level 1
In response to Anurag Sharma

‎11-13-2019 10:39 PM

thank you so much for you assistance and prompt response. 

0 Helpful
Customers Also Viewed These Support Documents