400 Bad Request Error on the Cisco ISE 2.3 Guest Portal

I had to deal with an issue with a wireless network guest portal for a customer recently that had me and TAC stumped for a month. The splash page seemed to load fully, but there was always a small spinning circle in the center suggesting something on the page didn’t quite finish loading. It resulted in end-users seeing an intermittent but frequent error when they connected to the guest wireless getting the redirect URL to the guest portal page on Cisco Identity Services Engine 2.3. The error was

400

[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data

and here’s what I did to troubleshoot and eventually fix it.

The platform was Cisco ISE 2.3 with no patches, and the wireless controller was an HA pair of Cisco 5508s. All APs were Flexconnect, but there was no issue with the redirect URL and actually getting the guest login page. In fact, when the error didn’t occur, no one had an issue completing the self registration form and signing into the guest wireless.

What we found with about a month of testing on and off is that when a client connected to the guest portal, sometimes it would display the portal page for a few seconds and then automatically fail and display the error.

Sometimes, the symptom was that an end-user would get the splash page, but instead of failing on its own, it would fail only after the user attempted to enter information into the fields. At that point, it would fail and display the 400 Bad Request message. Interestingly, if an end-user hit the back button on their browser after getting the 400 message, the guest portal would fully load, and the person could successfully complete the form and access the guest wireless network.

Two TAC calls proved fruitless, but they did give me several troubleshooting steps:

  1. Re-create the portal (which I already did on my own prior to calling TAC)
  2. Use a different identity store sequence for the portal (apparently there is a bug related to the identity store sequence)
  3. Update ISE to the latest patch
  4. Re-install the whole ISE cluster and try again

Prior to calling TAC I already created a new portal, but it was a duplicate of the one giving problems. After speaking with TAC I decided to re-create everything manually and not simply duplicate it. By “everything” I mean all the policies, components, and the portal. This didn’t work for me, but I understand it has for some people experiencing this same issue.

The second thing I did was create a new identity store sequence and tie it to the original portal. This also didn’t work for me, but from TAC explained, this has worked for some people with this issue, so it was worth a try.

I planned to upgrade to the latest patch, but I learned that some people started getting the issue only after upgrading, so instead of trying that I created the entire environment as best I could in my home lab to test. I never got the 400 Bad Request error in my lab though – not once. When speaking to my customer, one of the engineers on their team realized that the only major difference between my testing environment and their production environment (from a policy and flow standpoint) was the fact that I didn’t upload their company logos to my test guest portal. They, of course, had custom logos for their company uploaded and in use.

I removed the logos and banner image from the portal customization page, and the error immediately stopped occurring.

portal

My customer continued testing on their own at several other times that day to make sure (using a variety of devices), and they never saw the error again.

Apparently, there was something in those image files – maybe in just one of them or maybe in all of them – that ISE could not send properly resulting in some malformed information a client couldn’t work with resulting in the 400 Bad Request error.

My customer is content that we found the issue and will figure something out with the logos, but thankfully they consider that much less important that the portal itself working properly.

I wrote this post because I saw very little written about it online, and what I did find was only somewhat related. If you experience this same issue with your guest portal page, give those few troubleshooting steps a shot, and try removing the image files.

Thanks,

Phil

Advertisements

3 thoughts on “400 Bad Request Error on the Cisco ISE 2.3 Guest Portal

Add yours

  1. ISE 2.3 single SSID BYOD w/ “allow network access” giving “400 bad request”
    CSCvg48447
    Description
    Symptom:
    ‘400 bad request’ error seen during BYOD flow using following settings:

    ISE2.3 configured to ‘allow network access’ without CP policies
    single SSID BYOD

    User gets BYOD page, register device, however is not able to finish the flow due to the error. However, endpoint is being placed in the BYOD group and on next login, user has full access even though user hasn’t finished the flow.

    This flow works fine with ISE2.2.

    Also, CWA flow with BYOD works fine.

    Conditions:
    ISE2.3 configured to ‘allow network access’ without CP policies
    single SSID BYOD
    After successful device configuration take employee to: URL is configured

    Workaround:
    1. use guest portal with BYOD settings
    2. use redirect to success page on portal instead

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at WordPress.com.

Up ↑