Comments on: 400 Bad Request Error on the Cisco ISE 2.3 Guest Portal

By: The ISE King

The ISE King — Wed, 14 Aug 2019 20:25:37 +0000

Hi,

I would like to point out that this solution makes no sense and is a false positive. I will explain why. Every time a redirect URL is generated ISE also generates a token for that redirection. This token is tied to the client’s browser session. If there is a hiccup during this transaction and the client’s browser session is no longer tied to the token in ISE’s redirect URL response it’s a ‘bad request’ to the web server. This throws the 400 error.

The following common causes to the 400 error are:
Load balancing between PSNs incorrectly
DNS load balancing behind a single statically configured Guest Portal FQDN
Local profiling on the WLC enabled may sometimes cause a sporadic CoA, hence re-authing the session in the middle of the redirect flow and causing the 400 error.

LikeLike

By: Harald

Harald — Wed, 10 Apr 2019 14:58:55 +0000

Hi,

I have also the Problems. I download the logos and make it back… It solve problem for some days. After again Customer has Bad request and I use ISE 2.4 Patch 6 😦

Regards,
Harald

LikeLike

By: Eric

Eric — Fri, 04 Jan 2019 17:40:53 +0000

I had the same issue and this workaround fixed it.. but I think I found the root cause (at least for us)
In the Auth Policy we have it redirect to the domain ise.companydomain.com. that domain resolves with two A records for the two node cluster. when clients would get redirected to the second node, this error would appear, but would work on the first node just fine. I’m guessing the logos on the second node are the problem in some manner and removing them fixes the issue. but if I redirect them to just the main node either by going directly to its hostname or removing the second DNS A record entry it works fine. Only problem with that is you loose redundancy.. so for now.. removing the logos is our fix. Thanks for the article!

LikeLike

By: Salman Anwar

Salman Anwar — Mon, 10 Dec 2018 09:20:43 +0000

great help mate, i am experiencing the same problem and am confused.
Will check the logos

LikeLike

By: donghowa

donghowa — Tue, 11 Sep 2018 01:21:50 +0000

ISE 2.3 single SSID BYOD w/ “allow network access” giving “400 bad request”
CSCvg48447
Description
Symptom:
‘400 bad request’ error seen during BYOD flow using following settings:

ISE2.3 configured to ‘allow network access’ without CP policies
single SSID BYOD

User gets BYOD page, register device, however is not able to finish the flow due to the error. However, endpoint is being placed in the BYOD group and on next login, user has full access even though user hasn’t finished the flow.

This flow works fine with ISE2.2.

Also, CWA flow with BYOD works fine.

Conditions:
ISE2.3 configured to ‘allow network access’ without CP policies
single SSID BYOD
After successful device configuration take employee to: URL is configured

Workaround:
1. use guest portal with BYOD settings
2. use redirect to success page on portal instead

LikeLike

By: Michael Selmer Bartholomæussen

Michael Selmer Bartholomæussen — Sun, 09 Sep 2018 09:16:17 +0000

Great post – I love to hear when people share their troubles 🙂

LikeLike

By: donghowa

donghowa — Fri, 07 Sep 2018 07:59:37 +0000

Thank you =)
i had same problem, but after i changed the logos, its okay now.

LikeLiked by 1 person