This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Was scratching my head over this as the bug says to disable Accounting on the internal WLC but it should be fine leaving it on the foreign anchor.
Disabled the Foreign Anchor accounting and bam it just started working.
Our setup is as the following:
Local WLC on location (3650 ios-xe with 3.6.5) with guest wlan anchored up to a 5508 (8.3.102) located offsite. Cisco ISE runs 2.1 patch 3.
Windows and mobile clients gets the CWA with no errors and can authenticate to the guest network. But the Mac OSX (macbook) users often get "400 Bad Request" when they are redirected to the CWA on ISE.
On our guest anchor the checkbox is checked but no serveres are defined since we dont have any here. On the local wlc we use accounting-list. So we have to remove the checkbox on the anchor ssid although there are no servers listed?
As there are multiple bugs with IE try with other browsers(Firefox with java applet) and if not resolved contact TAC to resolve the issue.
Do you have any admin Access Restrictions enabled on your ISE node. If so please check from which IP address your are accessing the ISE GUI.
If you have no such ISE restrictions, please check with the showtech file and see if your NIC's are having the correct IP address and are not swapped.
If you are not having any issues with the above checks, then I would suggest to open a TAC case immediately.
I'm afraid this is not related to ISE GUI access. You see , end user NAC agent is not popping up even if you wait. when checking further for troubleshooting i saw the above captured URL on switch (this is the agent provisioning URL redirect policy returned from ISE for clients posturing) ; the correct URL should be the posturing URL not this error page.
This issue happens when restarting client PC. however , if you clear authentication session manually on switch, it successfully completes client posturing. However, after the next log off or restart the problem re-appears.
I think that I have the same issue here. Just upgraded to 1.3, we use a WLC redirect for CWA (self service guest). It appears to happen only a very small percentage of the time. I have checked and double checked my DNS configuration.
I have a case open with TAC. Just sent over debug logs. I took a peek and the guest log has the error "exception while handling page error: portalSessionId is null or empty", which may or may not be related.
Hopefully TAC has some answers but my guess is that 1.3 patches will resolve this.
I can't say I didn't know what I was getting into moving to 1.3 :]
Change the DNS entries to point to the PSN.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
I faced the same problem on multiple PC's during deployment on fresh install 1.3. Bug CSCur94336. The trigger might not be the same, but may be you are going through the same issue.
Primary issue is that when the ISE sends a redirect, there is a session id assigned to it. Both switch and ISE are aware of it during the policy enforcement duration(redirect duration). For some reason I guess the switch or ISE was deleting the session id. So the ISE returns the error saying it isnt aware of the session. With what I read on this thread so far, didn't look like a configuration issue to me. But I think experts can throw more light on this.
Patch for this will be released in January.
Actually the bug was raised after we opened the case with cisco TAC ad they decided to release patches for 1.2 (already released) and 1.3 which will be released soon. however, we are working normally on 1.2.1 , so you can try it if you have urgent issues now.
Hi, I think I have a similar or maybe the very same issue. However, it applies to wireless and to guest / onboarding services only.
We do not do any posturing, but we get similar internal errors when redirected to the guest portal. Sometimes it also shows errors about unknown radius session.
TAC ticket regarding the issue is open, but we did not yet get a final analysis. This is a multiple WLC deployment using anchors for guest services. It seems that the choice of WLC in the mobility group/anchor to which the access point is actually registered somehow affects the frequency of this error but we are not sure about it.
I understand from the other posts, that it is clear, that this is an issue with 1.3. and latest 1.2 releases and not a Radius authenticator issue, right? (which would be helpful in our situtation since we can update ISE easier than WLC).