cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
142
Views
0
Helpful
0
Replies

Meraki ISE Guest with SAML portal - 400 error after SAML for IOS CNA

Tim Fairclough
Level 1
Level 1

Hi All,

I have built a Meraki IPSK WLAN with ISE for Guest/BYOD/IoT devices. Guest and BYOD PSK users CWA to primary Guest portal, then staff click link to secondary Guest Portal configured for SAML against EntraID. Post-auth, the endpoint MAC is registered to a specific endpoint group allowing bypass auth for subsequent connections (if not matching Guest-Flow rule)

Staff device registration SAML flow works fine for Android and Windows 11 devices, also for MacOS if I close the CNA browser and use Firefox. IOS and MacOS using CNA can perform SAML auth, receive the ISE Success page with a 'Done' button, however approx 4 seconds later, receive an ISE 400 error page.

I find the below in the ISE Guest.log with several debugs enabled. These messages only occur for CNA connections, and roughly happen at the right time when the issue occurs. (I dont see this for my Android test client, haven't checked others).

The logs seem to indicate the SAML Reply URL (from Entra ID) is part of my issue, and the last message below is presumably hte 400 error page.

I have a single Entra ID enterprise app, and use SAML for Sponsor portal, as well as this guest portal (MFA disabled for app due to IOS CNA issue killing session when accessing token). ISE 3.1 patch 9. MR57 WAPs tunnelled to MX105 anchor.

Any ideas or suggestions I could try would be welcome!

TIA,

Tim

 

2024-09-10 15:30:47,189 ERROR  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- ---CSRF Attack warning report start---
2024-09-10 15:30:47,189 ERROR  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- Token is invalid.
2024-09-10 15:30:47,189 ERROR  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- Invalid Token URL :: https://dc1pise01.<customerdomain>.com:8443/portal/SSOLoginResponse.action
2024-09-10 15:30:47,189 ERROR  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- request.getPathInfo() = null
2024-09-10 15:30:47,189 ERROR  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- source: remote addr=192.168.208.52, remote host=192.168.208.52, remote port=64351, remote usernull
2024-09-10 15:30:47,189 ERROR  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- ---CSRF Attack warning report end---
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalPreResultListener -::- before result ... resultCode: invalid.token
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- result: invalid.token
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- RateLimit validation is in progress..!
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- Portal Configured Maximum Allowed Login attempts are: 0
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- Portal Configured Rate Limit value: 0 Min(s) 
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- Current Login failed Attempt count: 0
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] ise.portalwebaction.utils.spring.ISESpringControllerUtils -::- Entered exposeBeanAsRequestAttributes
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] portalwebaction.utils.portal.spring.ISEPortalControllerUtils -::- forwardStrinvalid.token
2024-09-10 15:30:47,189 DEBUG  [https-jsse-nio-10.200.13.95-8443-exec-3][] portalwebaction.utils.portal.spring.ISEPortalControllerUtils -::- Entered dispatchRequest
2024-09-10 15:30:47,189 INFO   [https-jsse-nio-10.200.13.95-8443-exec-3][] portalwebaction.utils.portal.spring.ISEPortalControllerUtils -::- mapping path found in action-forwards, forwarding to: /pages/fatal-error.jsp
0 Replies 0