Got it
Huawei Enterprise Support Community
Community Forums WLAN
AC6508 built-in Portal

AC6508 built-in Portal

Created: Jun 9, 2021 18:25:51Latest reply: Jun 12, 2021 15:21:43 334 5 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#

Hi,


the internal poartal page can only be accessed with apple devices (safari browser).

google, firefox or edge browser does not work at all.

i think it has something to do with the ssl certificate.

the problems only appear in the google and edge browser.

does anyone have an idea ?

greetings

Jens



Like (0) Dislike (0) Favorite(0) Share Report
Previous: error convert from fit to fat
Next: Wireless 6- Less speed
Featured Answers

Recommended answer

(0) (0)
Popeye_Wang
Admin Created Jun 12, 2021 15:21:43

Hi,

When a terminal is connected to a Wi-Fi network and initiate Portal authentication, the Portal authentication succeeds using Internet Explorer. However, the Portal authentication page fails to be opened using other browsers such as Chrome. (The following uses the Chrome browser as an example.)


z


Possible Causes

  1. The terminal cannot access the DNS server using the browser.

    After connecting to a Wi-Fi network, some terminals send HTTP Probe Request packets to the DNS server to detect network connectivity before passing Portal authentication. When an access device receives an HTTP connection request packet from a terminal:

  • If the packet is destined for the Portal server or authentication-free resources, the access device permits the packet, and the terminal can directly access the Portal server or authentication-free resources.

  • If the packet is destined for other addresses, the access device redirects the HTTP packet to the Portal authentication page. By default, the access device does not add the domain name of the DNS server to the authentication-free network resources. Therefore, the Portal authentication page cannot be displayed on the terminal browser. You can configure an authentication-free rule to solve this problem. For details, see Configuring an authentication-free rule.

    note_3.0-en-us.png

    Typically, the domain name of the DNS server is www.msftconnecttest.com or www.msfgncsi.com for Windows PCs, connectivitycheck.platform.hicloud.com for Android mobile phones, and captive.apple.com for iOS terminals.

    These DNS server domain names are for reference only.

The root certificate authority is not trusted.

For security purposes, the access device provides the Portal authentication function in HTTPS mode. When accessing the HTTPS-based Portal server through the web browser, a terminal checks whether the certificate of the Portal server is issued by a trusted certification authority (CA). The web browser contains some certificates issued by trusted CAs by default. You can also import the root certificate of a CA to the web browser to increase the trusted CAs.

If the certificate carried by the website is issued by an untrusted CA:

You can try the following methods to solve the problem: Using another browserImporting certificates, and Changing the mode of Portal authentication.

  • Some browsers (such as Chrome) directly interrupt the Portal server access process if the network connection is abnormal and the certificate is invalid. As a result, the Portal authentication page cannot be displayed on the terminal browser.

  • Some browsers (such as Internet Explorer) display a message indicating that the web page is insecure. However, you can ignore the alarm and continue to access the Portal server page.

Solution

In built-in Portal authentication scenarios, the following solutions are recommended (in descending order of priority): changing the mode of Portal authentication > importing a certificate > using another browser > configuring an authentication-free rule.

In external Portal authentication scenarios, the following solutions are recommended (in descending order of priority): importing a certificate > using another browser > configuring an authentication-free rule.

note_3.0-en-us.png

In external Portal authentication scenarios, changing the mode of Portal authentication is not recommended.

Importing certificates

You need to import a trusted certificate to the Portal server.

Using another browser

  • You are advised to use Internet Explorer.

Changing the mode of Portal authentication

Configure the Portal server to provide Portal authentication in HTTP mode rather than in HTTPS mode.

  • In built-in Portal authentication scenarios, configure the built-in Portal server to exchange authentication information with users using the HTTP protocol.

    <HUAWEI> system-view
    [HUAWEI]portal local-server ip 10.1.1.1
    [HUAWEI-url-template-huawei]portal local-server http port 8080

  • In external Portal authentication scenarios, configure the Portal server to exchange authentication information with users using the HTTP protocol.

Configuring an authentication-free rule

Configure an authentication-free rule on the device to allow terminals to access the DNS server without authentication.

note_3.0-en-us.png

When this method is used, the Portal authentication page cannot be directly displayed when a terminal accesses the network. You need to enter any URL except the authentication-free domain name in a browser to forcibly redirect to the Portal authentication page.

  1. If the domain name of the DNS server is www.msftconnecttest.com, create a global domain name whose name is www.msftconnecttest.com and ID is 0.

    <HUAWEI>system-view
    [HUAWEI]passthrough-domain name www.msftconnecttest.com id 0

  2. Add a rule to ACL 6001 to match packets destined for www.msftconnecttest.com, create an authentication-free rule profile default_free_rule and configure the authentication-free rule defined by ACL 6001.

    [HUAWEI]acl 6001
    [HUAWEI-acl-ucl-6001]rule 5 permit ip destination passthrough-domain www.msftconnecttest.com
    [HUAWEI-acl-ucl-6001]quit
    [HUAWEI]free-rule-template name default_free_rule
    [HUAWEI-free-rule-default_free_rule]free-rule acl 6001

Refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100096146&id=EN-US_CONCEPT_0250409303&lang=en

I hope this helps.


View more
  • x
  • convention:
All Answers
(0) (0)
2#
Gustavo.HdezF
Gustavo.HdezF Admin Created Jun 9, 2021 19:00:35

Hello User. we are reviewing your question and we will answer you shortly. Thanks.
View more
  • x
  • convention:
(0) (0)
3#
chenhui
chenhui Admin Created Jun 10, 2021 01:22:58

Hello,
As you might know, both Chrome and Edge browsers use the chromium core. Is there any error message while visiting the portal page using Chrome or Edge browser?
View more
  • x
  • convention:
(0) (0)
4#
Abdussamed
Abdussamed Created Jun 10, 2021 07:30:18

AC6508 built-in Portal-3964857-1
View more
  • x
  • convention:
(0) (0)
5#
Jens77
Jens77 Created Jun 10, 2021 12:25:40

Hello ,

yes, the message comes up that the page is not safe, but you also don't click on extended
View more
  • x
  • convention:
(0) (0)
6#
Popeye_Wang
Popeye_Wang Admin Created Jun 12, 2021 15:21:43

Hi,

When a terminal is connected to a Wi-Fi network and initiate Portal authentication, the Portal authentication succeeds using Internet Explorer. However, the Portal authentication page fails to be opened using other browsers such as Chrome. (The following uses the Chrome browser as an example.)


z


Possible Causes

  1. The terminal cannot access the DNS server using the browser.

    After connecting to a Wi-Fi network, some terminals send HTTP Probe Request packets to the DNS server to detect network connectivity before passing Portal authentication. When an access device receives an HTTP connection request packet from a terminal:

  • If the packet is destined for the Portal server or authentication-free resources, the access device permits the packet, and the terminal can directly access the Portal server or authentication-free resources.

  • If the packet is destined for other addresses, the access device redirects the HTTP packet to the Portal authentication page. By default, the access device does not add the domain name of the DNS server to the authentication-free network resources. Therefore, the Portal authentication page cannot be displayed on the terminal browser. You can configure an authentication-free rule to solve this problem. For details, see Configuring an authentication-free rule.

    note_3.0-en-us.png

    Typically, the domain name of the DNS server is www.msftconnecttest.com or www.msfgncsi.com for Windows PCs, connectivitycheck.platform.hicloud.com for Android mobile phones, and captive.apple.com for iOS terminals.

    These DNS server domain names are for reference only.

The root certificate authority is not trusted.

For security purposes, the access device provides the Portal authentication function in HTTPS mode. When accessing the HTTPS-based Portal server through the web browser, a terminal checks whether the certificate of the Portal server is issued by a trusted certification authority (CA). The web browser contains some certificates issued by trusted CAs by default. You can also import the root certificate of a CA to the web browser to increase the trusted CAs.

If the certificate carried by the website is issued by an untrusted CA:

You can try the following methods to solve the problem: Using another browserImporting certificates, and Changing the mode of Portal authentication.

  • Some browsers (such as Chrome) directly interrupt the Portal server access process if the network connection is abnormal and the certificate is invalid. As a result, the Portal authentication page cannot be displayed on the terminal browser.

  • Some browsers (such as Internet Explorer) display a message indicating that the web page is insecure. However, you can ignore the alarm and continue to access the Portal server page.

Solution

In built-in Portal authentication scenarios, the following solutions are recommended (in descending order of priority): changing the mode of Portal authentication > importing a certificate > using another browser > configuring an authentication-free rule.

In external Portal authentication scenarios, the following solutions are recommended (in descending order of priority): importing a certificate > using another browser > configuring an authentication-free rule.

note_3.0-en-us.png

In external Portal authentication scenarios, changing the mode of Portal authentication is not recommended.

Importing certificates

You need to import a trusted certificate to the Portal server.

Using another browser

  • You are advised to use Internet Explorer.

Changing the mode of Portal authentication

Configure the Portal server to provide Portal authentication in HTTP mode rather than in HTTPS mode.

  • In built-in Portal authentication scenarios, configure the built-in Portal server to exchange authentication information with users using the HTTP protocol.

    <HUAWEI> system-view
    [HUAWEI]portal local-server ip 10.1.1.1
    [HUAWEI-url-template-huawei]portal local-server http port 8080

  • In external Portal authentication scenarios, configure the Portal server to exchange authentication information with users using the HTTP protocol.

Configuring an authentication-free rule

Configure an authentication-free rule on the device to allow terminals to access the DNS server without authentication.

note_3.0-en-us.png

When this method is used, the Portal authentication page cannot be directly displayed when a terminal accesses the network. You need to enter any URL except the authentication-free domain name in a browser to forcibly redirect to the Portal authentication page.

  1. If the domain name of the DNS server is www.msftconnecttest.com, create a global domain name whose name is www.msftconnecttest.com and ID is 0.

    <HUAWEI>system-view
    [HUAWEI]passthrough-domain name www.msftconnecttest.com id 0

  2. Add a rule to ACL 6001 to match packets destined for www.msftconnecttest.com, create an authentication-free rule profile default_free_rule and configure the authentication-free rule defined by ACL 6001.

    [HUAWEI]acl 6001
    [HUAWEI-acl-ucl-6001]rule 5 permit ip destination passthrough-domain www.msftconnecttest.com
    [HUAWEI-acl-ucl-6001]quit
    [HUAWEI]free-rule-template name default_free_rule
    [HUAWEI-free-rule-default_free_rule]free-rule acl 6001

Refer to https://support.huawei.com/hedex/hdx.do?docid=EDOC1100096146&id=EN-US_CONCEPT_0250409303&lang=en

I hope this helps.


View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.