Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1069
Views
0
Helpful
1
Replies

ISE 2.2 - Guest Portal error

craiglebutt
Level 4
Level 4

‎04-23-2020 05:52 AM - edited ‎07-05-2021 11:58 AM

Hi

 

ISE 2.2 patch 16.

Been having issues with Guest portal, because of lock down, the guest portal isn't being used so looking at the issue.

 

4 * PSN configured for CWA, when I click on the WLAN, the redirect comes up, not secure even though a new certificate has been added.

so the url should redirect to http://guestportal.external domain, one of the PSN was pointing to http://guestportal2.external domain.

So changed changed this in authorization policy to point to same as the others.

 

Now I'm getting 

400 Bad Request

The request is invalid due to malformed syntax or  invalid data.

Possible cause is unknown or invalid terminated Radius session ID.  Please advise System Admin

 

I've removed the device from the ENDPOINT and tried again, got the same error.

 

any ideas?

 

cheers

Labels:
0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎05-04-2020 06:05 AM

Hi @craiglebutt 

 

Do those four PSN's sit behind a load balancer? If yes, then there may be a chance that the load balancer is terminating the TCP connection for the SSL - which means you need to install the new certs in the load balancer too. I have run into this situation before on F5 LTM's.

If there is no load balancer involved, then I assume you have four AuthZ Profiles that redirect to the appropriate PSN based on the ISE Hostname ? And that also means you need four DNS entries (e.g. guestportal1.somedomain and guestportal2.somedomain, etc.) where those FQDNs map to the correct IP address of the respective ISE node.

 

Ensure that DNS is not being blocked for Guests - using a windows/mac device, just check that you can resolve all four ISE FQDNs from the client.

 

I have a feeling that your PSN is returning the wrong URL. If you don't have a load balancer then you HAVE to make ISE "self aware" in the AuthZ Policies to return the correct URL redirect for each individual PSN. Your guest devices MUST talk to the same PSN web server (via DNS lookup from the URL) that was using during the initial MAB request (the NAS has a config that tells it which PSN it chooses as Primary, Secondary, Tertiary, etc.)  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card