BugZero | Cisco BugID CSCvh80768 - ISE 2.3 no patches, unable to login to sponsor por...

Cisco - Defect ID: CSCvh80768

ISE 2.3 no patches, unable to login to sponsor portal with internal user

Cisco - Defect ID: CSCvh80768

ISE 2.3 no patches, unable to login to sponsor portal with internal user

Last updated on May 26th, 2026

BugZero Risk Score
6.1 Medium

Overall: 6.1

Severity: 6.4

Lifecycle: 9.1

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

BugZero Plan

Streamline upgrades with automated vendor bug scrubs

BugZero Plan

Learn more

BugZero Prevent

Wish you caught this bug sooner? Get proactive today.

BugZero Prevent

Learn more

Bug Details

Description

Symptom

errors observed in the GUI : "[ 400 ] Bad Request The request is invalud due to malformed syntax or invalid data." errors observed in the Reports: "NO_SPONSOR_GROUP_MEMBERSHIP"

Conditions

- ISE 2.3 no patches - configured connection with active directory - Identity Source Sequence configured as: 'Internal Hosts' 'Do not access other stores in the sequence and set the "AuthenticationStatus" attribute to "ProcessError"' - internal user with the same name as in AD - sponsor portal configured to use ISS described above ad_agent.log clearly indicates an attempt to resolve identity of the user, though the sponsor portal identity store configured for Internal Users only ==> ad_agent.log <== 01/02/2018 11:23:54,DEBUG ,140067429365504,Lsa User Manager - checking user credentials refresh list,LsaUmpCheckUsers(),lsass/server/auth-providers/ad-open-provider/lsaum_p.c:702 01/02/2018 11:23:54,DEBUG ,140067429365504,LsaDmpIsDomainOffline: checking status of domain EXAMPLE.COM,LsaDmpIsDomainOffline(),lsass/server/auth-providers/ad-open-provider/lsadm.c:3158 01/02/2018 11:23:55,DEBUG ,140068841023232,Permission granted for (uid = 300, gid = 300, pid = 9887) to open LsaIpcServer,LsaSrvIpcCheckPermissions(),lsass/server/api/ipc_state.c:85 01/02/2018 11:23:55,VERBOSE,140068841023232,(session:4db642e8635843ff-c54bbcd310bbce6b) Accepted ,lwmsg_peer_log_accept(),lwmsg/src/peer-log.c:230 01/02/2018 11:23:55,TRACE ,140068841023232,(session:4db642e8635843ff-c54bbcd310bbce6b >> 0) call req LSA2_Q_RESOLVE_ID: { pszIdentity = "jakrupa" ppszJoinPoints = { "example.com" } dwSearchFlags = 1 pszSessionId = "mgmt-srv-ise-1/306848915/13" },lwmsg_peer_log_message(),lwmsg/src/peer-log.c:153 01/02/2018 11:23:56,TRACE ,140068841023232,(session:4db642e8635843ff-c54bbcd310bbce6b >> 0) call res LSA2_R_RESOLVE_ID: { pResolvedIdentitiesDataList = { dwCount = 1 ppResolvedIdentityData = { { pszResolvedIdentity = "jakrupa@example.com" pszProviderInstance = "EXAMPLE.COM" pszResolvedDN = "CN=jakrupa,CN=Users,DC=example,DC=com" pszResolvedDNSDomain = "example.com" pszResolvedNetBiosName = "EXAMPLE0" pszResolvedObjectCategory = "CN=Person,CN=Schema,CN=Configuration,DC=example,DC=com" } } } pFGLogData = { pMessagesListData = { dwStringsCount = 4 ppszStrings = { "1517480635501 24325 "jakrupa" AD-Log-Id=1517474440/411, " "1517480635501 24313 "example.com" AD-Log-Id=1517474440/412, " "1517480636057 24319 "example.com" AD-Log-Id=1517474440/415, " "1517480636057 24323 "" AD-Log-Id=1517474440/416, " } } pAttributesListData = { dwStringsCount = 1 ppszStrings = { "AD-Log-Id=1517474440/416" } } } dwError = 0 },lwmsg_peer_log_message(),lwmsg/src/peer-log.c:153 ==> console.log <== 2018-02-01 11:23:56,198 WARN [RMI TCP Connection(198)-127.0.0.1][] SystemConsole -::::- com.cisco.epm.exceptions.AttributeNullException: envMap value should not be null 2018-02-01 11:23:56,199 WARN [RMI TCP Connection(198)-127.0.0.1][] SystemConsole -::::- at com.cisco.epm.common.Assert.assertObject(Assert.java:98) ==> guest.log <== 2018-02-01 11:23:56,281 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.utils.SponsorUtil -:jakrupa:- Authenticating sponsor user belongs to the following sponsor groups: 2018-02-01 11:23:56,282 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: uniqueSubjectId=878994c10060f1800d2937e03f685290944bed3b fqSubjectName=fc38f410-6d8f-11e5-978e-005056bf2f0a#jakrupa@example.com authStoreName=Internal Users normailzedUserName=jakrupa 2018-02-01 11:23:56,283 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction did not find 2.1 user, guid=fc38f410-6d8f-11e5-978e-005056bf2f0a userName=jakrupa@example.com 2018-02-01 11:23:56,283 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: userName12=jakrupa@example.com 2018-02-01 11:23:56,283 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: correct adUserResolvedId=jakrupa@example.com 2018-02-01 11:23:56,284 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction getOrCreateSponsorUser: adUserResolvedId=jakrupa@example.com userName12_legacy=jakrupa 2018-02-01 11:23:56,284 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.imhandler.sponsor.SponsorUserHandler -:jakrupa:- getSponsorUserLikeName list size=0 2018-02-01 11:23:56,285 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction correct 1.3 list13 size=0 2018-02-01 11:23:56,285 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction merge dup sponsor user, update guest user table, count=0 2018-02-01 11:23:56,285 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction Creating new Sponsor User jakrupa@example.com authStoreName=Internal Users 2018-02-01 11:23:56,285 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction Sponsor User-jakrupa@example.com come from ISE internal Store, going to create it! 2018-02-01 11:23:56,292 ERROR [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- Can not find NSF User with userName=jakrupa@example.com 2018-02-01 11:23:56,292 ERROR [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.exception.GuestAuthException -:jakrupa:- Employee(jakrupa@example.com) can not be found in ISE! 2018-02-01 11:23:56,292 INFO [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- inline correction Exception :Employee(jakrupa@example.com) can not be found in ISE! com.cisco.cpm.guestaccess.auth.exception.GuestAuthException: Employee(jakrupa@example.com) can not be found in ISE! at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.retrieveNSFUser(SponsorLogin.java:889) at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.createSponsorUserFromInternalUser(SponsorLogin.java:785) at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.getOrCreateSponsorUser(SponsorLogin.java:647) 2018-02-01 11:23:56,293 ERROR [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.exception.GuestAuthException -:jakrupa:- Guest Access Exception 2018-02-01 11:23:56,293 ERROR [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.auth.authentication.SponsorLogin -:jakrupa:- authenticate com.cisco.cpm.guestaccess.auth.exception.GuestAuthException: Guest Access Exception at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.getOrCreateSponsorUser(SponsorLogin.java:704) at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.parseAuthResult(SponsorLogin.java:271) at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.authenticate(SponsorLogin.java:201) Caused by: com.cisco.cpm.guestaccess.auth.exception.GuestAuthException: Employee(jakrupa@example.com) can not be found in ISE! at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.retrieveNSFUser(SponsorLogin.java:889) at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.createSponsorUserFromInternalUser(SponsorLogin.java:785) at com.cisco.cpm.guestaccess.auth.authentication.SponsorLogin.getOrCreateSponsorUser(SponsorLogin.java:647) 2018-02-01 11:23:56,294 ERROR [https-jsse-nio-10.48.26.200-8445-exec-7][] cpm.guestaccess.flowmanager.exception.FlowProcessorException -:jakrupa:- Software Error 2018-02-01 11:23:56,294 ERROR [https-jsse-nio-10.48.26.200-8445-exec-7][] cisco.ise.portalwebaction.controller.PortalStepController -:jakrupa:- Flow Processor Exception: Software Error ==> ise-psc.log <== 2018-02-01 11:23:56,286 WARN [https-jsse-nio-10.48.26.200-8445-exec-7][] cisco.cpm.nsf.impl.NSFUser -:::jakrupa:- User jakrupa@example.com was not found in UPS - trying to retrieve from legacy 2018-02-01 11:23:56,292 WARN [https-jsse-nio-10.48.26.200-8445-exec-7][] cisco.cpm.nsf.impl.NSFUser -:::jakrupa:- nsflegacy is null ==> prrt-server.log <== ADClient,2018-02-01 11:23:56,187,WARN ,0x7f28c938d700,cntx=0000001214,sesn=mgmt-srv-ise-1/306848915/13,CPMSessionID=mgmt-srv-ise-1:userauth13,user=jakrupa,[ActiveDirectoryClient::getUserAttributes] Could not retrieve attribute 'mail' for user jakrupa,ActiveDirectoryClient.cpp:1635

Workaround

create internal username which is not present in the connected active directory

Further Problem Description

Relevant Products

Click on a version to see all relevant bugs

Affected versions:002.003(000.298)

Fixed versions: 002.006(000.156), 2.2.0.470-Patch16, 2.4.0.357-Patch11

Relevant Products

Click on a version to see all relevant bugs

Affected versions:002.003(000.298)

Fixed versions: 002.006(000.156), 2.2.0.470-Patch16, 2.4.0.357-Patch11

Top Cisco Defects

9.7Defect ID: CSCws61409
Live Logs Not Displaying on GUI Due to Fast Expansion of MNT Database
9.7Defect ID: CSCwt50498
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
9.7Defect ID: CSCun06260
XE3.13 Gatekeeper Hardening
9.7Defect ID: CSCvs91869
FPR-1000 Series Random Number Generation Error
9.7Defect ID: CSCvq12070
Not able to establish more than 2 simultaneous ASDM sessions

Ready to prevent the next vendor outage?

Get a demo

Cisco - Defect ID: CSCvh80768

ISE 2.3 no patches, unable to login to sponsor portal with internal user

Cisco - Defect ID: CSCvh80768

ISE 2.3 no patches, unable to login to sponsor portal with internal user

Last updated on May 26th, 2026

BugZero Risk Score6.1 Medium

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Top Cisco Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.1 Medium