[400] Bad request - The request is invalid due to malformed syntax or invalid data

FPL_Harte · ‎07-16-2020

I have a new C9800-L-F-K9 configured for Webauth via ISE 2.4. I can authenticate as the ISE login page is displayed and I input my creds. ISE shows client authenticated, but on 9800 client still shown in Web Auth Pending state and post login page fails to load. I have 100+ 5508's, 5520's, 3504's and a few other AerOS models working fine. 9800 is running 16.12.3 and I always get same [400] Bad Request error on multiple devices. Cleared browsing data. Tried disabling profiling with no success. I used AerOS conversion tool to build 90% of config. I have another 9800, same code, that I built from scratch that's working fine. Has anyone had this issue or have any reasonable suggestion?

Rich R · ‎07-17-2020

Maybe I'm stating the obvious but have you compared the config on the working one to the one that isn't working?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

FPL_Harte · ‎07-17-2020

I have. Using the Webui, I compared the settings on the two controllers and made the new one the same as the working one when I saw a difference. Of course the object names, policies, tags, profiles etc. generated by the conversion tool are different, but this cannot be a factor.

Scott Fella · ‎07-17-2020

You should download the startup config from both and run a diff. You can also just download the backup from the working 9800 and edit that and upload that to the controller giving you issues and see what happens. I typically would write erase the 9800 first then get basic connectivity to the network where you can upload the config. You still should compare it.

-Scott
*** Please rate helpful posts ***

FPL_Harte · ‎07-17-2020

Have not done a diff, and will consider. The first 9800 was built from scratch as a pilot to validate that we can use these controllers in our environment. My task going forward is to identify our process to migrate a bunch of controllers. As I indicated in my initial post, the conversion tools gets me about 90% of the config (find and replace is much less err-prone than rebuilding the objects) . I need to ID a fix for this [400] error so that I can finish that 10% that the conversion process is not providing.

FPL_Harte · ‎07-24-2020

I wish I could say definitively that I know what corrected the issue, but it looks like I had bad radius servers.. The below is an error that I thought the issue was tied to "2020/07/24 17:05:09.204 {nginx_R0-0}{1}: [ngx_core] [6569]: UUID: 0, ra: 0, TID: 0 (ERR): [6576] 2020/07/24 12:05:09 [crit] 6576#0: *2079 SSL_shutdown() failed (SSL: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init) while SSL handshaking, client: 192.168.2.62, server: 0.0.0.0:443"

I bumped the code from 16.12.3 to 17.02.1 and back, but the ssl error persisted and I still could not get past the [400] error. Fishing in the dark I decided to delete and re-create the radius servers and now I can complete the client authorization successfully. I had noticed Dynamic Authorization failed (No response received after sending) record in ISE but did not pay it much attention as we get a fair number of those. I ran an ISE authentication report for my test device for the last week and I noticed that in every instance the Dynamic Authorization was failing ONLY with this controller. I had configured two other 9800's and they both had worked fine, hence my delete and re-create radius servers.