I had to deal with an issue with a wireless network guest portal for a customer recently that had me and TAC stumped for a month. The splash page seemed to load fully, but there was always a small spinning circle in the center suggesting something on the page didn’t quite finish loading. It resulted in end-users seeing an intermittent but frequent error when they connected to the guest wireless getting the redirect URL to the guest portal page on Cisco Identity Services Engine 2.3. The error was
[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data
and here’s what I did to troubleshoot and eventually fix it.
The platform was Cisco ISE 2.3 with no patches, and the wireless controller was an HA pair of Cisco 5508s. All APs were Flexconnect, but there was no issue with the redirect URL and actually getting the guest login page. In fact, when the error didn’t occur, no one had an issue completing the self registration form and signing into the guest wireless.
What we found with about a month of testing on and off is that when a client connected to the guest portal, sometimes it would display the portal page for a few seconds and then automatically fail and display the error.
Sometimes, the symptom was that an end-user would get the splash page, but instead of failing on its own, it would fail only after the user attempted to enter information into the fields. At that point, it would fail and display the 400 Bad Request message. Interestingly, if an end-user hit the back button on their browser after getting the 400 message, the guest portal would fully load, and the person could successfully complete the form and access the guest wireless network.
Two TAC calls proved fruitless, but they did give me several troubleshooting steps:
- Re-create the portal (which I already did on my own prior to calling TAC)
- Use a different identity store sequence for the portal (apparently there is a bug related to the identity store sequence)
- Update ISE to the latest patch
- Re-install the whole ISE cluster and try again
Prior to calling TAC I already created a new portal, but it was a duplicate of the one giving problems. After speaking with TAC I decided to re-create everything manually and not simply duplicate it. By “everything” I mean all the policies, components, and the portal. This didn’t work for me, but I understand it has for some people experiencing this same issue.
The second thing I did was create a new identity store sequence and tie it to the original portal. This also didn’t work for me, but from TAC explained, this has worked for some people with this issue, so it was worth a try.
I planned to upgrade to the latest patch, but I learned that some people started getting the issue only after upgrading, so instead of trying that I created the entire environment as best I could in my home lab to test. I never got the 400 Bad Request error in my lab though – not once. When speaking to my customer, one of the engineers on their team realized that the only major difference between my testing environment and their production environment (from a policy and flow standpoint) was the fact that I didn’t upload their company logos to my test guest portal. They, of course, had custom logos for their company uploaded and in use.
I removed the logos and banner image from the portal customization page, and the error immediately stopped occurring.
My customer continued testing on their own at several other times that day to make sure (using a variety of devices), and they never saw the error again.
Apparently, there was something in those image files – maybe in just one of them or maybe in all of them – that ISE could not send properly resulting in some malformed information a client couldn’t work with resulting in the 400 Bad Request error.
My customer is content that we found the issue and will figure something out with the logos, but thankfully they consider that much less important that the portal itself working properly.
I wrote this post because I saw very little written about it online, and what I did find was only somewhat related. If you experience this same issue with your guest portal page, give those few troubleshooting steps a shot, and try removing the image files.