07-16-2020 08:51 AM - edited 07-05-2021 12:17 PM
I have a new C9800-L-F-K9 configured for Webauth via ISE 2.4. I can authenticate as the ISE login page is displayed and I input my creds. ISE shows client authenticated, but on 9800 client still shown in Web Auth Pending state and post login page fails to load. I have 100+ 5508's, 5520's, 3504's and a few other AerOS models working fine. 9800 is running 16.12.3 and I always get same [400] Bad Request error on multiple devices. Cleared browsing data. Tried disabling profiling with no success. I used AerOS conversion tool to build 90% of config. I have another 9800, same code, that I built from scratch that's working fine. Has anyone had this issue or have any reasonable suggestion?
07-17-2020 06:24 AM
07-17-2020 07:18 AM
07-17-2020 08:57 AM
07-17-2020 10:52 AM
Have not done a diff, and will consider. The first 9800 was built from scratch as a pilot to validate that we can use these controllers in our environment. My task going forward is to identify our process to migrate a bunch of controllers. As I indicated in my initial post, the conversion tools gets me about 90% of the config (find and replace is much less err-prone than rebuilding the objects) . I need to ID a fix for this [400] error so that I can finish that 10% that the conversion process is not providing.
07-24-2020 10:59 AM
I wish I could say definitively that I know what corrected the issue, but it looks like I had bad radius servers.. The below is an error that I thought the issue was tied to "2020/07/24 17:05:09.204 {nginx_R0-0}{1}: [ngx_core] [6569]: UUID: 0, ra: 0, TID: 0 (ERR): [6576] 2020/07/24 12:05:09 [crit] 6576#0: *2079 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: 192.168.2.62, server: 0.0.0.0:443"
I bumped the code from 16.12.3 to 17.02.1 and back, but the ssl error persisted and I still could not get past the [400] error. Fishing in the dark I decided to delete and re-create the radius servers and now I can complete the client authorization successfully. I had noticed Dynamic Authorization failed (No response received after sending) record in ISE but did not pay it much attention as we get a fair number of those. I ran an ISE authentication report for my test device for the last week and I noticed that in every instance the Dynamic Authorization was failing ONLY with this controller. I had configured two other 9800's and they both had worked fine, hence my delete and re-create radius servers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide