09-10-2024 01:21 AM - edited 09-10-2024 01:57 AM
Hi All,
I have built a Meraki IPSK WLAN with ISE for Guest/BYOD/IoT devices. Guest and BYOD PSK users CWA to primary Guest portal, then staff click link to secondary Guest Portal configured for SAML against EntraID. Post-auth, the endpoint MAC is registered to a specific endpoint group allowing bypass auth for subsequent connections (if not matching Guest-Flow rule)
Staff device registration SAML flow works fine for Android and Windows 11 devices, also for MacOS if I close the CNA browser and use Firefox. IOS and MacOS using CNA can perform SAML auth, receive the ISE Success page with a 'Done' button, however approx 4 seconds later, receive an ISE 400 error page.
I find the below in the ISE Guest.log with several debugs enabled. These messages only occur for CNA connections, and roughly happen at the right time when the issue occurs. (I dont see this for my Android test client, haven't checked others).
The logs seem to indicate the SAML Reply URL (from Entra ID) is part of my issue, and the last message below is presumably hte 400 error page.
I have a single Entra ID enterprise app, and use SAML for Sponsor portal, as well as this guest portal (MFA disabled for app due to IOS CNA issue killing session when accessing token). ISE 3.1 patch 9. MR57 WAPs tunnelled to MX105 anchor.
Any ideas or suggestions I could try would be welcome!
TIA,
Tim
2024-09-10 15:30:47,189 ERROR [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- ---CSRF Attack warning report start--- |
2024-09-10 15:30:47,189 ERROR [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- Token is invalid. |
2024-09-10 15:30:47,189 ERROR [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- Invalid Token URL :: https://dc1pise01.<customerdomain>.com:8443/portal/SSOLoginResponse.action |
2024-09-10 15:30:47,189 ERROR [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- request.getPathInfo() = null |
2024-09-10 15:30:47,189 ERROR [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- source: remote addr=192.168.208.52, remote host=192.168.208.52, remote port=64351, remote usernull |
2024-09-10 15:30:47,189 ERROR [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalTokenInterceptor -::- ---CSRF Attack warning report end--- |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalPreResultListener -::- before result ... resultCode: invalid.token |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- result: invalid.token |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- RateLimit validation is in progress..! |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- Portal Configured Maximum Allowed Login attempts are: 0 |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- Portal Configured Rate Limit value: 0 Min(s) |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] cisco.ise.portalwebaction.controller.PortalFlowInterceptor -::- Current Login failed Attempt count: 0 |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] ise.portalwebaction.utils.spring.ISESpringControllerUtils -::- Entered exposeBeanAsRequestAttributes |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] portalwebaction.utils.portal.spring.ISEPortalControllerUtils -::- forwardStrinvalid.token |
2024-09-10 15:30:47,189 DEBUG [https-jsse-nio-10.200.13.95-8443-exec-3][] portalwebaction.utils.portal.spring.ISEPortalControllerUtils -::- Entered dispatchRequest |
2024-09-10 15:30:47,189 INFO [https-jsse-nio-10.200.13.95-8443-exec-3][] portalwebaction.utils.portal.spring.ISEPortalControllerUtils -::- mapping path found in action-forwards, forwarding to: /pages/fatal-error.jsp |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide