Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14513
Views
5
Helpful
4
Replies

[ 400 ] Bad Request,The request is invalid due to malformed syntax or invalid data.

Joseph Fontenot
Level 1
Level 1

‎10-25-2016 02:08 PM - edited ‎03-11-2019 12:11 AM

We have two ISE nodes (v2.0.0.306) one primary and one set to secondary. We suddenly having an issue with clients authenticating with wifi. When a client connects to a particular guest wifi network they get the 400 bad request error. If we go to 

2 people had this problem
Labels:
0 Helpful
4 Replies 4

jan.nielsen
Level 7
Level 7

‎10-26-2016 09:25 AM

Make sure that you are redirecting to the same ISE that your WLC is actually sending it's radius requests to, otherwise it will fail. The easiest way is to simply not change the "host name" field at all, leave it unused, as ISE will fill in the proper ise server dynamically.

Remember that the WLC can choose to use either of the ISE servers, if any client fails to authenticate, ISE will stop responding, which can trigger the WLC to try and use the other ISE server. So check you ISE logs, to see which ise gets the mab request initially, and see if it's the same ise you are getting redirected to.

The CA Service is not related to portals

Joseph Fontenot
Level 1
Level 1
In response to jan.nielsen

‎10-26-2016 09:31 AM

So should we uncheck the "Static IP/Host name/FQDN" option under the "Web Redirection (CWA, MDM, NSP, CPP)" settings? Assuming this will allow ISE to auto decide?

0 Helpful

jan.nielsen
Level 7
Level 7
In response to Joseph Fontenot

‎10-26-2016 09:36 AM

Exactly.

You should be aware that ise will use it's own configured fqdn per default when it auto-selects what should be in the redirect url. If you need to change that, due to DNS/Certificate contents or others, you can do alias commands in the CLI, or create one authorization rule that matches per ISE server, that then sends two different hardcoded fqdns.

0 Helpful

Boniek
Level 1
Level 1
In response to jan.nielsen

‎09-29-2017 01:15 AM

Thanks. That was quick and easy solution.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents