Solved: Single Click Sef-Registration Approval Link PSN Specific?

paul · ‎11-15-2018

Is the single click self-registration link that is sent to sponsor in the email PSN specific? I mean can any PSN process that link?

I have a two node deployment where the sponsor portal has an FQDN, sponsor.mycompany.com. We have A records for sponsor.mycompany.com pointing at both ISE nodes. If ISE node #1 processes the self-registration and sends the email, but DNS resolves sponsor.mycompany.com to node #2, the link errors out saying it has expired. If it goes to node #1 it works just fine.

I have used this setup before many times (FQDN with multiple A records) and don't remember this issue.

I am going to test in my lab hopefully this week when I get time.

Jason Kunst · ‎11-15-2018

Paul and I working offline on this

View solution in original post

paul · ‎11-16-2018

Okay I just tested this on a different customer and the approval link is not tied to a PSN (whew... I thought I was going crazy). There must be an issue with the 2nd PSN at the customer I saw this issue.

For your reference the Approval link looks like this:

https://sponsor.mycompany.com:8445/sponsorportal/PortalSetup.action?portal=af0e2960-c324-11e8-b505-6a8ec20f675a&oneClickToken=4Hm/OR0mv3/l/xnzMs7b5g==&oneClickAction=Approve

I tested by changing the link to a PSN that didn't do the guest registration:

https://psn05.mycompany.com:8445/sponsorportal/PortalSetup.action?portal=af0e2960-c324-11e8-b505-6a8ec20f675a&oneClickToken=4Hm/OR0mv3/l/xnzMs7b5g==&oneClickAction=Approve

Everything worked just fine. The only part of the string that changes from request to request is the oneClickToken value that isn't PSN specific. I believe, Jason correct me if I am wrong, the value is the encoded AD information of the person being visited.

View solution in original post

ognyan.totev · ‎11-15-2018

I got same issue in my 2 node deployment. Thats why in Authorization i mark static redirection to 1 psn . And it never send to second .

Jason Kunst · ‎11-15-2018

Static redirection is a different issue then the approval link. Static redirection to me should only be included for certain DMZ/DNS issues and perhaps poor load balancing manually. That’s a separate discussion.

paul · ‎11-16-2018

Okay I just tested this on a different customer and the approval link is not tied to a PSN (whew... I thought I was going crazy). There must be an issue with the 2nd PSN at the customer I saw this issue.

For your reference the Approval link looks like this:

https://sponsor.mycompany.com:8445/sponsorportal/PortalSetup.action?portal=af0e2960-c324-11e8-b505-6a8ec20f675a&oneClickToken=4Hm/OR0mv3/l/xnzMs7b5g==&oneClickAction=Approve

I tested by changing the link to a PSN that didn't do the guest registration:

https://psn05.mycompany.com:8445/sponsorportal/PortalSetup.action?portal=af0e2960-c324-11e8-b505-6a8ec20f675a&oneClickToken=4Hm/OR0mv3/l/xnzMs7b5g==&oneClickAction=Approve

Everything worked just fine. The only part of the string that changes from request to request is the oneClickToken value that isn't PSN specific. I believe, Jason correct me if I am wrong, the value is the encoded AD information of the person being visited.

Jason Kunst · ‎11-16-2018

Paul you're correct, the token is for the approval session authentication that includes the guest account

Jason Kunst · ‎11-15-2018

Paul and I working offline on this