Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7184
Views
2
Helpful
7
Replies

Issue with Guest users - [400] BAD REQUEST

ciscokapajoeen
Level 1
Level 1

‎12-03-2020 07:05 AM - edited ‎07-05-2021 12:51 PM

 

 

We are using c9800 in foreign and anchor setup with guest authorised by Cisco ISE.

As of yesterday, users have hard time connecting to guest ssid. they receive various errors

- impossible to connect to the SSID

-  [400] BAD REQUEST

- even some do not show any thing

The strange thing is that, I do not see anything one the ISE og

 

 

 

2 people had this problem
Labels:
0 Helpful
7 Replies 7

Rasika Nayanajith
VIP
VIP

‎12-03-2020 07:52 PM

The best way to troubleshoot is to get RadioAcitve Traces for a given client MAC address

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213949-wireless-debugging-and-log-collection-on.html 

9800-RAT.png

 

HTH

Rasika

 

 

0 Helpful

ajc
Level 7
Level 7

‎12-04-2020 08:32 AM

I was testing Guest SSID yesterday and I got the exact 400 BAD REQUEST message and I immediately realized that the WLC URL Redirect was not using the correct URL from the ISE Guest Portal. Once I copied the URL from the ISE Guest Portal into the WLC config, everything worked immediately. Are you using CWA or LWA?. Are you F5 LB your ISE PSN's?. You would not see any ISE hit if there is wrong DNS resolution for the URL redirect for whatever CWA or LWA. 

 

 

0 Helpful

romervalera
Level 1
Level 1

‎08-02-2021 01:36 PM

I have the same problem, but i have two Service Nodes

 
 

If i remove the second node from the WLC configuration it works!

err2.JPG

I need this redundancy for high avalibility reason, is there any way to fix it?

 
 

 

 

0 Helpful

ajc
Level 7
Level 7
In response to romervalera

‎08-04-2021 11:53 AM

Hi Romer, From my previous reply, I was using LWA for Guest SSID Authentication which is not sessionized. That's why it worked even with my F5 LB in place for multiple PSN's. I moved to CWA and now I am facing the same issue as you. Only 1 PSN/Radius entry in the WLC for authentication is allowed otherwise you will get the 400 error because your 2nd authentication request for CWA is hitting another PSN where the session ID does not exist. I am checking the F5 ISE configuration document with Load Balancer F5 in place to see if I can make it work CWA. I will keep you informed.

romervalera
Level 1
Level 1

‎08-05-2021 12:28 PM

ok, if you find something let me know. I'll be very greatful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-06-2021 01:07 PM

Are you using CWA or LWA, also share the Web Auth redirect ACL, remember for the redirection ACL deny action is deny redirection (not deny traffic), and permit action as permit redirection.

 

Also share the IOS-XE code and the AP models.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

romervalera
Level 1
Level 1

‎08-10-2021 06:49 PM

Hello Arshadsaf , sorry for the delay. Our ACL is correct, i followed de recommended steps. All the APs are LWA and we have ultiple models, i have two controllers too with differents version (both are listed in the compatibility matrix)  8.5.161.11 (AIR-CT3504-K9) and 8.5.161.0 (AIR-CT5508-K9).

The APs:

AIR-AP1815I-A-K9

AIR-AP1832I-A-K9

AIR-CAP1702I-A-K9

AIR-CAP2602E-A-K9

AIR-AP1852I-A-K9

AIR-AP1542I-A-K9

AIR-CAP1532E-A-K9

AIR-AP1542I-A-K9

 

All of then are in the compatibility matrix too, and have the irregular behavior.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card