12-03-2020 07:05 AM - edited 07-05-2021 12:51 PM
We are using c9800 in foreign and anchor setup with guest authorised by Cisco ISE.
As of yesterday, users have hard time connecting to guest ssid. they receive various errors
- impossible to connect to the SSID
- [400] BAD REQUEST
- even some do not show any thing
The strange thing is that, I do not see anything one the ISE og
12-03-2020 07:52 PM
The best way to troubleshoot is to get RadioAcitve Traces for a given client MAC address
HTH
Rasika
12-04-2020 08:32 AM
I was testing Guest SSID yesterday and I got the exact 400 BAD REQUEST message and I immediately realized that the WLC URL Redirect was not using the correct URL from the ISE Guest Portal. Once I copied the URL from the ISE Guest Portal into the WLC config, everything worked immediately. Are you using CWA or LWA?. Are you F5 LB your ISE PSN's?. You would not see any ISE hit if there is wrong DNS resolution for the URL redirect for whatever CWA or LWA.
08-02-2021 01:36 PM
I have the same problem, but i have two Service Nodes
If i remove the second node from the WLC configuration it works!
I need this redundancy for high avalibility reason, is there any way to fix it?
08-04-2021 11:53 AM
Hi Romer, From my previous reply, I was using LWA for Guest SSID Authentication which is not sessionized. That's why it worked even with my F5 LB in place for multiple PSN's. I moved to CWA and now I am facing the same issue as you. Only 1 PSN/Radius entry in the WLC for authentication is allowed otherwise you will get the 400 error because your 2nd authentication request for CWA is hitting another PSN where the session ID does not exist. I am checking the F5 ISE configuration document with Load Balancer F5 in place to see if I can make it work CWA. I will keep you informed.
08-05-2021 12:28 PM
ok, if you find something let me know. I'll be very greatful
08-06-2021 01:07 PM
Are you using CWA or LWA, also share the Web Auth redirect ACL, remember for the redirection ACL deny action is deny redirection (not deny traffic), and permit action as permit redirection.
Also share the IOS-XE code and the AP models.
08-10-2021 06:49 PM
Hello Arshadsaf , sorry for the delay. Our ACL is correct, i followed de recommended steps. All the APs are LWA and we have ultiple models, i have two controllers too with differents version (both are listed in the compatibility matrix) 8.5.161.11 (AIR-CT3504-K9) and 8.5.161.0 (AIR-CT5508-K9).
The APs:
AIR-AP1815I-A-K9
AIR-AP1832I-A-K9
AIR-CAP1702I-A-K9
AIR-CAP2602E-A-K9
AIR-AP1852I-A-K9
AIR-AP1542I-A-K9
AIR-CAP1532E-A-K9
AIR-AP1542I-A-K9
All of then are in the compatibility matrix too, and have the irregular behavior.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide