Hi Salodh,

Attached the exported policies.

You are right when removing the cable or clearing the authentication session or logging off NAC agent pops up normally and client get postured. However, when restarting the PC again the problem appears again.

Hello,

We are also facing the same issue.We see that browser is trying to redirect (see the attached printscreen) and also when we manualy entered the url with session id etc it given the internal server error message.

The strange thing is that it works for one SSID but it does not work for another SSID, all the configuration as same and on ISE we see it hits the Web Auth redirection authz policy. Client can resolve FQDN of ISE etc.?

Has anybody find any solution or workaround for this issue.

Thanks in advance

How many Wireless Controllers are involved in your situation? Is there a mobility group? (an active-standby HA config would count as one controller, since the standby does not do anything). Do you use anchor controllers? Maybe your SSIDs are anchored on different controllers?

If you have more than one controller, check if radius accounting is enabled for your SSIDs. If so, enable radius accounting at most on one of your controllers.

Multiple controllers, doing all accounting but with possibly different settings on different SSIDs, and maybe different timing issues involved, c/would cause your symptoms.

Check the link in my post above.

If you only have a single wlc, or already disabled accounting. Sorry, then I do not have an idea.

Michael.

Hi Michael,

Thanks for your response. In our case we have only two controllers in a high available scenario.

I have tested both accounting enable/disabled but get the same error. the client gets the redirect url with browser showing "web authentication" but it simply keep trying only and on ISE monitoring also I can see it hits the correct Authz policy (redirection).

I am wondering why one SSID works without any issue  and why it doe not work for other SSID with the same settings..?

Any other thoughts as per your experience.?

Thanks in advance.

No, sorry. This scenario worked for me. I know - though - that there are apparently issues with WLCs creating consistent Radius session IDs and that ISE is easily confused about this and that this is one way to trigger an error 500 in ISE.

If you did not yet try, I'd recommend using latest 7.6. for WLC, 8.x has issues too. But this is also only a wild guess.

Michael.

Hi Michael,

Just to give you some update, we have upgraded the WLC to 7.6.130 code but the issue is still the same. 

I am already getting guest portal redirection for one SSID but not for other SSID. In the client PC I can see the redirection url and in the browser also showing Web Authentication page is trying to open but it does keep trying only.

Regards,

Pemasiri

Hi at all, 

we faced this error last week until yesterday!!

On the ise was the configured Port for guest 8443!

After this changing to Port 8449 and set up a new Portalpage all works fine as before! 

I think only changing the Port brings back the function!!

Maybe we found a workaround?

Best Regards. 

Mario

Hi i got the same error 500 in a guest wireless deployment with a 5508 WLC. It was functioning quite well until it the error appeared. 

We have 2 ISE 1.3 with no patches installed (Two-Node-Redundant) with a 5508 WLC. 

Do you suggest me to change the port 8443 to a different one to solve the issue? After you made the change have you found any other issues with error 500?

Hope you can help.

Thanks a lot.

I worked with TAC on this since the day that I made my initial post. It got to the point where they basically said "patch ISE and see if it goes away..."

I am currently in the process of upgrading to 1.4

I had the same error and got it to go away when I disabled RADIUS accounting on my anchor controller. I de-selected accounting all together for that SSID. 

Make sure your client is de-auth'd on both WLC's and try the CWA page again.

Since my last post I spoke with our help desk supervisor and it appears the issue is no longer present. 

Are you faced this error "[400] Bad Request" , it appeared after user registration when click on "sign me On"  

Hi John. 

It´s correct. I was with the same problem ( redirect portal Guest )

===  

[ 400 ] Bad Request

The request is invalid due to malformed syntax or invalid data.

Possible cause is unknown, invalid, or terminated RADIUS session ID. Please advise the System Admin to consult the logs and ensure that the RADIUS session was not generated by a different PSN or due to a deny access policy match 

===
 

*** I DISABLE the radius accounting in the Anchor WLC and WORKS !

Somebody Know why I have to do this change to work int 1.4 cisco ISE ? ? ? 

tks a lot