ISE 2.1 Hotspot Guest Portal Redirect Problem - 500 Internal Error

N3t W0rK3r · ‎11-30-2017

We are trying to set up a hotspot guest portal in our ISE 2.1 installation (2.1.0.474 patch level 2).

The WLC config and ISE config is in place as best as I can tell but when users connect to our hotspot, they are being redirected to the portal, but a 500 Internal Error page is displayed instead of the AUP page.

I originally used port 8443 for this but changed it to 8449 with no change.

I have tried Android phones, iPhones and a MacBook and all are presented with the same error.

Oddly enough, if the client tries to reconnect after getting the 500 error, they do connect successfully without ever seeing the AUP.

Thanks in advance for any suggestions you may have.

John

Rahul Govindan · ‎12-04-2017

Is this is a distributed set up or a standalone? I have seen instances with the same error when I redirect to node that is not a PSN. Also, are the users being redirected via FDN or ip address?

N3t W0rK3r · ‎12-04-2017

Rahul,

Thanks for your reply.

Ours is a 4-node distributed deployment, with 2 PANs and 2 PSNs. The portal is setup on both PSNs only. Currently pointing to a public FQDN that is resolvable.

Because we are using a public FQDN we can only point to one PSN at a time. So, we tried both PSNs and found different behaviour with each. On PSN1, the user would get the AUP but would not get connected after clicking Accept, until they forgot the network and reconnected. On PSN2, users do not get the AUP, but get the 500 internal error instead, and do not get connected at all. Clearly there is some kind of difference between the configs on the two PSNs but I have no clue as to how to fix this.

John

Rahul Govindan · ‎12-04-2017

How is the WLC setup? Do you have an Anchor-Foreign setup for guest access? One issue could be if Radius accounting is setup on multiple controllers due to the bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCul83594

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html#anc11

N3t W0rK3r · ‎12-04-2017

I do not know exactly how the WLC is setup as I didn't do that part of the config. What do you mean by an "Anchor-Foreign setup"? How would I know if that's what we have? I will consult with our WLC admin to review this.

Thank you.

John

Rahul Govindan · ‎12-04-2017

In Wireless Guest setups, you could have an "anchor" controller sitting on the dmz and foreign controllers across the campus. Foreign controllers talk to the clients directly and send all the traffic via tunnel to the anchor controller and then to the internet, separating Guest from other traffic. You should see some setting on the Foreign Controller under the menu:
Controller -> Mobility Management -> Mobility groups

Example given here:
https://supportforums.cisco.com/t5/wireless-mobility-documents/cisco-guest-access-using-wlc-with-anchor-setup-release-7-0/ta-p/3149622

N3t W0rK3r · ‎12-08-2017

Thanks for the explanation. From what I can tell, we have no anchor point configured on our WLC HA.

I have been able to open a TAC case and we are working thru it. Looks like I may have to reimage the bad PSN node as it would not take Patch 6, and i've had other problems with it as well.

Thanks again.