Solved: Re: ISE Sponsor portal in distributed environment

gabrieleferrari · ‎01-03-2019

Hi Guys, I've an ISE Deployment with 4 nodes

node 1 is the primary admin and secondary mnt node
node 2 is the secondary admin and primary mnt node
node 3 and 4 are PSN only nodes

We need to deploy Sponsor portal in this environment and by default ISE redirec authentication requests on node3 with an URL like: https://node3_ip:8443/sponsorportal/PortalSetup.action?portal=40963c00-2e02-11e8-ba71-005056872c7f
If I specify in the Sposor portal configuration an FQDN the redirection is correctly done on the FQDN instead of use the IP address.
Unfortunately We receive the following an error after the Sponsor authentication process (see ISE-Sponsor-Error.jpg file attached)

If I enable PSN role on node 1 and I redirect sponsor portal on that node, everything works fine.

Any suggestion?

Thanks
Gabriele

Damien Miller · ‎01-03-2019

What version of ISE is being used? There was a bug logged for 2.4 that can result in a 400 bad request, fixed in 2.4p3+.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm17749

Are the PSN's behind any load balancers?

View solution in original post

Jason Kunst · ‎01-03-2019

What is your FQDN?
Did you address your FQDN PSN ip addresses in DNS?
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_011100.html
Portal settings for sponsor portal

gabrieleferrari · ‎01-03-2019

Hi Jason, my fqdb is booking.customer.com and it is present and resolvable with dns

Thanks
Gabriele

Jason Kunst · ‎01-03-2019

Is the FQDN resolving to your PSN IP addresses?

gabrieleferrari · ‎01-03-2019

Ise node 3 IP address is 10.145.0.231 and it is the address associated with A record of booking.customer.com

Thanks
Gabriele

Damien Miller · ‎01-03-2019

What version of ISE is being used? There was a bug logged for 2.4 that can result in a 400 bad request, fixed in 2.4p3+.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm17749

Are the PSN's behind any load balancers?

gabrieleferrari · ‎01-03-2019

ISE version is 2.4 with patch 5 installed

Thanks
Gabriele

biswajit.pradhan · ‎09-12-2019

@Damien Miller wrote:
What version of ISE is being used? There was a bug logged for 2.4 that can result in a 400 bad request, fixed in 2.4p3+.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm17749

Are the PSN's behind any load balancers?

Hi Damien,

We are currently on patch 8 and having this problem with guest portal. Plus our PSNs are behind a load balancer. The guest portal DNS actually resolves to the VIP of the load balancer. Is it a good idea to have load balancer for guest portal considering this is sessionized ?

ilvillanueva · ‎12-15-2019

I am having the same issue on a two node deployment 2.4 patch 9 but can only be seen on the secondary ISE. Tried the steps

below but resulted to the same issue:

1. promoted secondary ISE to primary.

2. restarted the ise application server.

anyone was able to resolve this?

grabonlee · ‎01-24-2020

It seems this issue is persistent regardless of patch and it's tied to SSO. Once SSO is disabled, there is no 404 bad request error. In my deployment, once I enable SSO, I don't have the error, but many users get the error. I have opened a TAC case.

Load balancing or separate PSNs has nothing to do with this. My PSNs have sponsor portal FQDN in the SAN field, so there shouldn't be conflict from whichever PSN respsonds.