I had to deal with an issue with a wireless network guest portal for a customer recently that had me and TAC stumped for a month. The splash page seemed to load fully, but there was always a small spinning circle in the center suggesting something on the page didn’t quite finish loading. It resulted in end-users seeing an intermittent but frequent error when they connected to the guest wireless getting the redirect URL to the guest portal page on Cisco Identity Services Engine 2.3. The error was
[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data
and here’s what I did to troubleshoot and eventually fix it.
The platform was Cisco ISE 2.3 with no patches, and the wireless controller was an HA pair of Cisco 5508s. All APs were Flexconnect, but there was no issue with the redirect URL and actually getting the guest login page. In fact, when the error didn’t occur, no one had an issue completing the self registration form and signing into the guest wireless.
What we found with about a month of testing on and off is that when a client connected to the guest portal, sometimes it would display the portal page for a few seconds and then automatically fail and display the error.
Sometimes, the symptom was that an end-user would get the splash page, but instead of failing on its own, it would fail only after the user attempted to enter information into the fields. At that point, it would fail and display the 400 Bad Request message. Interestingly, if an end-user hit the back button on their browser after getting the 400 message, the guest portal would fully load, and the person could successfully complete the form and access the guest wireless network.
Two TAC calls proved fruitless, but they did give me several troubleshooting steps:
- Re-create the portal (which I already did on my own prior to calling TAC)
- Use a different identity store sequence for the portal (apparently there is a bug related to the identity store sequence)
- Update ISE to the latest patch
- Re-install the whole ISE cluster and try again
Prior to calling TAC I already created a new portal, but it was a duplicate of the one giving problems. After speaking with TAC I decided to re-create everything manually and not simply duplicate it. By “everything” I mean all the policies, components, and the portal. This didn’t work for me, but I understand it has for some people experiencing this same issue.
The second thing I did was create a new identity store sequence and tie it to the original portal. This also didn’t work for me, but from TAC explained, this has worked for some people with this issue, so it was worth a try.
I planned to upgrade to the latest patch, but I learned that some people started getting the issue only after upgrading, so instead of trying that I created the entire environment as best I could in my home lab to test. I never got the 400 Bad Request error in my lab though – not once. When speaking to my customer, one of the engineers on their team realized that the only major difference between my testing environment and their production environment (from a policy and flow standpoint) was the fact that I didn’t upload their company logos to my test guest portal. They, of course, had custom logos for their company uploaded and in use.
I removed the logos and banner image from the portal customization page, and the error immediately stopped occurring.
My customer continued testing on their own at several other times that day to make sure (using a variety of devices), and they never saw the error again.
Apparently, there was something in those image files – maybe in just one of them or maybe in all of them – that ISE could not send properly resulting in some malformed information a client couldn’t work with resulting in the 400 Bad Request error.
My customer is content that we found the issue and will figure something out with the logos, but thankfully they consider that much less important that the portal itself working properly.
I wrote this post because I saw very little written about it online, and what I did find was only somewhat related. If you experience this same issue with your guest portal page, give those few troubleshooting steps a shot, and try removing the image files.
Thanks,
Phil
{networkphil} 
Hi,
I would like to point out that this solution makes no sense and is a false positive. I will explain why. Every time a redirect URL is generated ISE also generates a token for that redirection. This token is tied to the client’s browser session. If there is a hiccup during this transaction and the client’s browser session is no longer tied to the token in ISE’s redirect URL response it’s a ‘bad request’ to the web server. This throws the 400 error.
The following common causes to the 400 error are:
Load balancing between PSNs incorrectly
DNS load balancing behind a single statically configured Guest Portal FQDN
Local profiling on the WLC enabled may sometimes cause a sporadic CoA, hence re-authing the session in the middle of the redirect flow and causing the 400 error.
LikeLike
Hi,
I have also the Problems. I download the logos and make it back… It solve problem for some days. After again Customer has Bad request and I use ISE 2.4 Patch 6 😦
Regards,
Harald
LikeLike
I had the same issue and this workaround fixed it.. but I think I found the root cause (at least for us)
In the Auth Policy we have it redirect to the domain ise.companydomain.com. that domain resolves with two A records for the two node cluster. when clients would get redirected to the second node, this error would appear, but would work on the first node just fine. I’m guessing the logos on the second node are the problem in some manner and removing them fixes the issue. but if I redirect them to just the main node either by going directly to its hostname or removing the second DNS A record entry it works fine. Only problem with that is you loose redundancy.. so for now.. removing the logos is our fix. Thanks for the article!
LikeLike
great help mate, i am experiencing the same problem and am confused.
Will check the logos
LikeLike
ISE 2.3 single SSID BYOD w/ “allow network access” giving “400 bad request”
CSCvg48447
Description
Symptom:
‘400 bad request’ error seen during BYOD flow using following settings:
ISE2.3 configured to ‘allow network access’ without CP policies
single SSID BYOD
User gets BYOD page, register device, however is not able to finish the flow due to the error. However, endpoint is being placed in the BYOD group and on next login, user has full access even though user hasn’t finished the flow.
This flow works fine with ISE2.2.
Also, CWA flow with BYOD works fine.
Conditions:
ISE2.3 configured to ‘allow network access’ without CP policies
single SSID BYOD
After successful device configuration take employee to: URL is configured
Workaround:
1. use guest portal with BYOD settings
2. use redirect to success page on portal instead
LikeLike
Great post – I love to hear when people share their troubles 🙂
LikeLike
Thank you =)
i had same problem, but after i changed the logos, its okay now.
LikeLiked by 1 person