Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
17114
Views
5
Helpful
4
Replies

[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data.

moosas001
Level 1
Level 1

‎05-16-2016 03:16 AM - edited ‎03-10-2019 11:46 PM

Hi,

Cisco ise giving the following error when users are trying to connect guest portal page 

"Possible cause is unknown, invalid, or terminated RADIUS session ID. Please advise the System Admin to consult the logs and ensure that the RADIUS session was not generated by a different PSN or due to a deny access policy match ."

Cisco Identity Services Engine
---------------------------------------------
Version : 2.0.0.306

Engine patch version 3.0 

How to solve this issue 

Thanks 

7 people had this problem
Labels:
Preview file
71 KB
4 Replies 4

Jeff Okragly
Level 1
Level 1

‎08-01-2016 07:22 AM

I am experiencing the exact same error.  I am running the same Version and HF as well.  Did you ever find a solution to this?  Looking to something to track down and the Live Radius Logs are showing it.

0 Helpful

James Johnston
Level 1
Level 1
In response to Jeff Okragly

‎08-01-2016 07:57 AM

Not sure if this will help...

We were having the same issue when guest users were redirected to the quest portal.  What was happening in our environment was that we implemented a wildcard SSL certificate so that user's wouldn't get the "unsecure connection" warning when they were presented with our internal CA certificates.

In order to do this, we had to change the URL presented to users; which was different than the FQDN of the ISE hosts (2 different domains).  At first we were doing Round Robin DNS to perform this.

This was our issue.  Upon the guest user's first connection to the open SSID, the WLC and ISE would talk between each other (WLC <--> PSN 1).  However, when user's were authorized and redirected to the portal it would be a different node (User <--> PSN 3).  This meant the session IDs were different and thus user's would get that error.

This is what TAC had us perform to fix the issue:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117620-configure-ISE-00.html

The only down side is that the PSNs aren't really "load balanced" all clients will be directed to a single PSN until that PSN goes down.  Then all requests will go to the next PSN in the cluster.

Hope that helps.

0 Helpful

Jeff Okragly
Level 1
Level 1
In response to James Johnston

‎08-01-2016 11:20 AM

This is interesting.  I to have a public wildcard SSL Cert applied so that users don't get the cert error page.  However I am not load balancing via DNS, I am simply calling the hostname.

xxx@123.com and yyy@123.com

My WLC SSID is set to use authentication and accounting of PSN1 and PSN2 is slotted as backup just how my deployment is on my ISE Nodes as well.  I am hoping all traffic is hitting just one of the PSN and the other is just idol stanby.

0 Helpful

James Johnston
Level 1
Level 1
In response to Jeff Okragly

‎08-01-2016 04:08 PM

Your issue may be different than mine; but one thing you may try is shutting down your second PSN and taking it out of the WLC.  Then maybe have users try authenticating?

We just implemented ISE in our environment with the help of an IT consultant.  So not sure what else could be going on.

0 Helpful
Customers Also Viewed These Support Documents