cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
0
Helpful
1
Replies

ISE 2.2 - Guest Portal error

craiglebutt
Level 4
Level 4

Hi

 

ISE 2.2 patch 16.

Been having issues with Guest portal, because of lock down, the guest portal isn't being used so looking at the issue.

 

4 * PSN configured for CWA, when I click on the WLAN, the redirect comes up, not secure even though a new certificate has been added.

so the url should redirect to http://guestportal.external domain, one of the PSN was pointing to http://guestportal2.external domain.

So changed changed this in authorization policy to point to same as the others.

 

Now I'm getting 

400 Bad Request

The request is invalid due to malformed syntax or  invalid data.

Possible cause is unknown or invalid terminated Radius session ID.  Please advise System Admin

 

I've removed the device from the ENDPOINT and tried again, got the same error.

 

any ideas?

 

cheers

1 Reply 1

Arne Bier
VIP
VIP

Hi @craiglebutt 

 

Do those four PSN's sit behind a load balancer? If yes, then there may be a chance that the load balancer is terminating the TCP connection for the SSL - which means you need to install the new certs in the load balancer too. I have run into this situation before on F5 LTM's.

If there is no load balancer involved, then I assume you have four AuthZ Profiles that redirect to the appropriate PSN based on the ISE Hostname ? And that also means you need four DNS entries (e.g. guestportal1.somedomain and guestportal2.somedomain, etc.) where those FQDNs map to the correct IP address of the respective ISE node.

 

Ensure that DNS is not being blocked for Guests - using a windows/mac device, just check that you can resolve all four ISE FQDNs from the client.

 

I have a feeling that your PSN is returning the wrong URL. If you don't have a load balancer then you HAVE to make ISE "self aware" in the AuthZ Policies to return the correct URL redirect for each individual PSN. Your guest devices MUST talk to the same PSN web server (via DNS lookup from the URL) that was using during the initial MAB request (the NAS has a config that tells it which PSN it chooses as Primary, Secondary, Tertiary, etc.)  

Review Cisco Networking for a $25 gift card