Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
768
Views
0
Helpful
5
Replies

RADIUS Session Not Found on guest portal.

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎03-04-2025 09:04 AM

Not sure if there is a known way to fix this, but running into an issue between Juniper wireless and ISE. The issue seems to be Juniper creates a new session whenever you roam to another AP, but ISE seems to just rejoin the old session. Not an issue until it tries to load the guest portal as the session number is part of the URL and we get RADIUS session not found if they have roamed.

Now, for a workaround if we delete the endpoint they will get the portal, but that is manual and would like to see the issue go away.

The only other discussion I saw said setting the profiling from port bounce to reauth fixed it, but does not in this case.

Any idea to get ISE to take the new session on roam or how to alleviate the issue?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajc
Level 7
Level 7
In response to Dustin Anderson

‎03-04-2025 02:08 PM

if both ISE nodes are running PSN persona AND you have configured your Guest SSID with both of them (it does not matter the order in the wireless controller radius server configuration), then the initial authentication (MAB) hits the 1st PSN but the CoA for WebAuth/Portal would hit the 2nd PSN and because there is NO session on this 2nd PSN, then you will get an error (I have seen that several times when using Cisco WLC/AP/ISE). I have F5 in place but until I deploy source NAT on F5, I cannot have multiple PSN's for a WebAuth SSID. I can only have 1 x PSN for that SSID in the Radius Server configuration.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ajc
Level 7
Level 7

‎03-04-2025 10:07 AM

do you have multiple radius servers for Guest SSID/Portal or even a Load Balancer in place?

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎03-04-2025 01:34 PM - edited ‎03-04-2025 01:36 PM

2 ise units, no load balancer. running 3.3 patch 4

ise1 = SNS 3765 pri PAN sec MON

ise2 = SNS 3765 sec PAN pri MON

0 Helpful

Go to solution
ajc
Level 7
Level 7
In response to Dustin Anderson

‎03-04-2025 02:08 PM

if both ISE nodes are running PSN persona AND you have configured your Guest SSID with both of them (it does not matter the order in the wireless controller radius server configuration), then the initial authentication (MAB) hits the 1st PSN but the CoA for WebAuth/Portal would hit the 2nd PSN and because there is NO session on this 2nd PSN, then you will get an error (I have seen that several times when using Cisco WLC/AP/ISE). I have F5 in place but until I deploy source NAT on F5, I cannot have multiple PSN's for a WebAuth SSID. I can only have 1 x PSN for that SSID in the Radius Server configuration.

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to ajc

‎03-04-2025 02:28 PM

ok, I was seeing info on stuff like that and tried to prioritize ise1, but still seems to happen. I may try it with just ise1 to verify it stops. Loose redundancy for now until we can find another option.

0 Helpful

Go to solution
ajc
Level 7
Level 7

‎03-04-2025 02:09 PM

BTW, we have found ISE 3.3 a little bit buggy.

0 Helpful
Customers Also Viewed These Support Documents