cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
0
Helpful
1
Replies

ISE 2.2 - Guest Portal error

craiglebutt
Enthusiast
Enthusiast

Hi

 

ISE 2.2 patch 16.

Been having issues with Guest portal, because of lock down, the guest portal isn't being used so looking at the issue.

 

4 * PSN configured for CWA, when I click on the WLAN, the redirect comes up, not secure even though a new certificate has been added.

so the url should redirect to http://guestportal.external domain, one of the PSN was pointing to http://guestportal2.external domain.

So changed changed this in authorization policy to point to same as the others.

 

Now I'm getting 

400 Bad Request

The request is invalid due to malformed syntax or  invalid data.

Possible cause is unknown or invalid terminated Radius session ID.  Please advise System Admin

 

I've removed the device from the ENDPOINT and tried again, got the same error.

 

any ideas?

 

cheers

1 Reply 1

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hi @craiglebutt 

 

Do those four PSN's sit behind a load balancer? If yes, then there may be a chance that the load balancer is terminating the TCP connection for the SSL - which means you need to install the new certs in the load balancer too. I have run into this situation before on F5 LTM's.

If there is no load balancer involved, then I assume you have four AuthZ Profiles that redirect to the appropriate PSN based on the ISE Hostname ? And that also means you need four DNS entries (e.g. guestportal1.somedomain and guestportal2.somedomain, etc.) where those FQDNs map to the correct IP address of the respective ISE node.

 

Ensure that DNS is not being blocked for Guests - using a windows/mac device, just check that you can resolve all four ISE FQDNs from the client.

 

I have a feeling that your PSN is returning the wrong URL. If you don't have a load balancer then you HAVE to make ISE "self aware" in the AuthZ Policies to return the correct URL redirect for each individual PSN. Your guest devices MUST talk to the same PSN web server (via DNS lookup from the URL) that was using during the initial MAB request (the NAS has a config that tells it which PSN it chooses as Primary, Secondary, Tertiary, etc.)  

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers