AR2200 WLAN Captive portal

[Copy the link]
Released on : 2018-5-8 20:11:10   Latest reply:2018-05-20 22:52:48
270 8
asmolarek    

  Help Card: (problem unresolve)
Hi,
I have router AR2200 with software V200R009C00SPC500. I need captive portal functionality for guest WLAN. I need that perason on reception generate ticket for guest user.
Is thie is available on this device/soft?

Regards
  • x
  • convention:

Comment Reply

Go to the specified floor
StarOfWest  Moderator   Released on 2018-5-8 21:33:02 Helpful(0) Helpful(0)

AR2200 has portal capabilities, but you can achieve simple scenarios, for example this one:

http://support.huawei.com/hedex/ ... ocid=EDOC1000163385

If you want to enable the captive portal function for guest - anonymous authentication, you may need to use an external captive portal. Huawei has - Agile Controller - which can work well to achieve more advance configuration.
For example you can enable guest users to self-register and then to receive the authentication code by email or SMS. Maybe this suits with your purpose.

Captive portal
http://support.huawei.com/hedex/ ... gistered%20Accounts(Receptionist%20Approval%20Mode%20Through%20Emails)&docid=EDOC1000141676

  • x
  • convention:

Comment Reply

asmolarek     Released on 2018-5-9 15:12:52 Helpful(0) Helpful(0)

Posted by StarOfWest at 2018-5-8 21:33 AR2200 has portal capabilities, but you can achieve simple scenarios, for example this one:http://su ...
Thank you for your reply. I tried to do this simple scenario but when I tried to apply authentication policy on interface I had error:
Error: The direct web authentication server is configured in the authentication profile, the authentication profile can not bind to the interface.

I can't find explanation for this error in documentation or Internet.
  • x
  • convention:

Comment Reply

user_2939339     Released on 2018-5-10 14:57:57 Helpful(0) Helpful(0)

I think is better to provide the current configuration and the log with your try to apply the command. Maybe somebody knows what's happening
  • x
  • convention:

Comment Reply

asmolarek     Released on 2018-5-10 15:50:21 Helpful(0) Helpful(0)

Hi,

Here is my config below. The topology is very simple:

AP4030<--->S5720<--->AR2200

[V200R009C00SPC500]
#
sysname R1
#
board add 0/1 1LTE-L
board add 0/5 8AS
#
portal local-server ip 192.168.1.30
portal local-server https ssl-policy s1 port 8443
#
drop illegal-mac alarm
#
clock timezone SarajevoSkopjeWarsawZagreb add 01:00:00
#
vlan batch 10 to 13 101
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
authentication-profile name profile2
portal-access-profile web1
free-rule-template default_free_rule
access-domain isp1 force
#
dhcp enable
#
radius-server template default
radius-server template rd1
radius-server shared-key cipher :D
radius-server authentication 192.168.2.30 1812 weight 80
#
pki realm default
#
ssl policy default_policy type server
pki-realm default
version tls1.0 tls1.1
ciphersuite rsa_aes_128_cbc_sha
ssl policy s1 type server
pki-realm default
version tls1.2
ciphersuite rsa_aes_128_sha256 rsa_aes_256_sha256
#
acl number 3000
rule 50 permit ip source 10.10.11.0 0.0.0.255
rule 51 permit ip source 10.12.12.0 0.0.0.255
rule 52 permit ip source 10.11.11.0 0.0.0.255
acl number 3001
rule 50 permit ip source 10.10.11.0 0.0.0.255
rule 100 deny ip
#
ddns policy 1
method ddns
#
ike proposal default
encryption-algorithm aes-256
dh group14
authentication-algorithm sha2-256
authentication-method pre-share
integrity-algorithm hmac-sha2-256
prf hmac-sha2-256
#
free-rule-template name default_free_rule
free-rule 1 destination ip any source ip any
#
portal-access-profile name portal_access_profile
#
portal-access-profile name web1
portal local-server enable
#
aaa
authentication-scheme default
authentication-scheme radius
  authentication-mode radius
authentication-scheme abc
  authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
  authentication-scheme default
domain default_admin
  authentication-scheme default
domain isp1
  authentication-scheme abc
  radius-server rd1
local-user admin password irreversible-cipher :D
local-user admin privilege level 15
local-user admin service-type telnet terminal ssh http
#
firewall zone trust
priority 15
#
firewall zone untrust
priority 1
#
firewall zone mgmt
priority 40
#
firewall zone dev
priority 10
#
firewall zone guest
priority 5
#
firewall zone Local
#
firewall interzone trust untrust
firewall enable
packet-filter 3001 outbound
packet-filter default deny outbound
#
firewall interzone mgmt untrust
firewall enable
packet-filter default deny outbound
#
interface Async5/0/0
link-protocol ppp
#
interface Async5/0/1
link-protocol ppp
#
interface Async5/0/2
link-protocol ppp
#
interface Async5/0/3
link-protocol ppp
#
interface Async5/0/4
link-protocol ppp
#
interface Async5/0/5
link-protocol ppp
#
interface Async5/0/6
link-protocol ppp
#
interface Async5/0/7
link-protocol ppp
#
interface Vlanif1
#
interface Vlanif10
#
interface Vlanif13
authentication-profile p1
#
interface GigabitEthernet0/0/0
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2
description MGMT
ip address 10.10.10.1 255.255.255.0
zone mgmt
dhcp select interface
#
interface GigabitEthernet0/0/2.1
description LAN
dot1q termination vid 10
ip address 10.10.11.1 255.255.255.0
zone trust
dhcp select interface
dhcp server dns-list 8.8.8.8
#
interface GigabitEthernet0/0/2.2
description LAN-DEV
dot1q termination vid 11
ip address 10.11.11.1 255.255.255.0
zone dev
dhcp select interface
dhcp server dns-list 8.8.8.8
#
interface GigabitEthernet0/0/2.3
description LAN-GUEST
dot1q termination vid 12
ip address 10.12.12.1 255.255.255.0
zone guest
dhcp select relay
dhcp relay server-ip 10.12.12.1
dhcp select interface
dhcp server dns-list 8.8.8.8 1.1.1.1
#
interface GigabitEthernet0/0/3
description VirtualPort
#
interface Cellular0/0/0
dialer enable-circular
dialer timer autodial 10
ip address negotiate
#
interface Cellular0/0/1
#
interface Cellular1/0/0
dialer enable-circular
dialer-group 1
apn-profile orange
dialer timer autodial 10
nat outbound 3000
zone untrust
pin verify auto :D
ip address negotiate
#
interface NULL0
#
interface LoopBack0
ip address 1.2.3.1 255.255.255.0
#
interface LoopBack1
ip address 192.168.1.30 255.255.255.255
#
dialer-rule
dialer-rule 1 ip permit
#
apn profile plus
apn plus
apn profile orange
apn internet
#
info-center timestamp log format-date
#
snmp-agent local-engineid 800007DB030C45BA7C5629
#
stelnet server enable
telnet server enable
telnet server permit interface GigabitEthernet0/0/2
ssh server permit interface GigabitEthernet0/0/2
#
http secure-server ssl-policy s1
#
ip route-static 0.0.0.0 0.0.0.0 Cellular1/0/0
#
fib regularly-refresh disable
#
capwap source interface loopback0
#
user-interface con 0
authentication-mode aaa
user-interface tty 33 40
user-interface vty 0
authentication-mode aaa
user privilege level 15
protocol inbound ssh
user-interface vty 1 4
authentication-mode aaa
protocol inbound ssh
#
wlan ac
traffic-profile name default
security-profile name default
security-profile name Dev
  security wpa2 psk pass-phrase :D aes
security-profile name default-wds
  security wpa2 psk pass-phrase :D aes
security-profile name Guest
security-profile name Office
  security wpa2 psk pass-phrase :D aes
ssid-profile name default
ssid-profile name Dev-ssid
  ssid Dev
ssid-profile name Guest-ssid
  ssid Guest
ssid-profile name Office-ssid
  ssid Office
vap-profile name default
vap-profile name VAP
  service-vlan vlan-id 10
  ssid-profile Office-ssid
  security-profile Office
vap-profile name Dev-VAP
  service-vlan vlan-id 11
  ssid-profile Dev-ssid
  security-profile Dev
vap-profile name Guest-VAP
  service-vlan vlan-id 12
  ssid-profile Guest-ssid
  security-profile Guest
wds-profile name default
regulatory-domain-profile name default
regulatory-domain-profile name domain1
  country-code PL
air-scan-profile name default
rrm-profile name default
radio-2g-profile name default
radio-5g-profile name default
wids-spoof-profile name default
wids-profile name default
ap-system-profile name default
port-link-profile name default
wired-port-profile name default
ap-group name default
ap-group name Group
  regulatory-domain-profile domain1
  radio 0
   vap-profile VAP wlan 1
   vap-profile Dev-VAP wlan 2
   vap-profile Guest-VAP wlan 3
  radio 1
   vap-profile VAP wlan 1
   vap-profile Dev-VAP wlan 2
   vap-profile Guest-VAP wlan 3
  radio 2
   vap-profile VAP wlan 1
   vap-profile Dev-VAP wlan 2
   vap-profile Guest-VAP wlan 3
ap-id 0 type-id 60 ap-mac a008-6f76-bb30 ap-sn 21500829412SH9600041
  ap-group Group
ap-id 1 type-id 56 ap-mac c4ff-1fdb-6900 ap-sn 21500829352SHA610949
  ap-group Group
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
undo ntp-service enable
#
voice
#
diagnose
#
ops
#
autostart
#
secelog
#
return
The error appear when I tried to to:
#
interface GigabitEthernet0/0/2.3
authentication-profile name profile2
#
Error: The direct web authentication server is configured in the authentication profile, the authentication profile can not bind to the interface.
  • x
  • convention:

Comment Reply

StarOfWest  Moderator   Released on 7 days ago Helpful(0) Helpful(0)

I believe the problem is related with the type of interface you apply the authentication profile. You are trying to enable portal on routed interface - the subinterface. For this situation, you must set the portal authentication as layer 3 portal.

So you must enable
portal local-server enable layer3


or you can apply the current portal type on a layer 2 interface. I see that now, you have 2 routed subinterfaces enable, so I don't think you plan to use portal of all of them. So better try the above solution.
  • x
  • convention:

Comment Reply

asmolarek     Released on 7 days ago Helpful(0) Helpful(0)

Thank you for answer. Yes, authentication profile will be connected to only interface GigabitEthernet0/0/2.3 which is Guest network interface. Interesting is that I created VLAN interface with IP address and I could connect this profile to it. As I understand both subinterface Gi0/0/2.3 and interface Vlanif12 are L3 interface?
  • x
  • convention:

Comment Reply

StarOfWest  Moderator   Released on 6 days ago Helpful(0) Helpful(0)

Check the following information from product documentation, it looks like for vlanif it's supporting layer 2 and layer 3 portal authentication.
That's why you were able to deploy it under vlanif interface

http://support.huawei.com/hedex/ ... tication-profile%20(Interface%20view%20or%20VAP%20profile%20view)&docid=EDOC1000163385
  • x
  • convention:

Comment Reply

w1  Moderator   Released on Yesterday 22:52 Helpful(0) Helpful(0)

  • x
  • convention:

Comment Reply

Reply
You need to log in to reply to the post Login | Register

If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top