Got it
Huawei Enterprise Support Community
Community Forums WLAN
After enable MAC address-...

After enable MAC address-prioritized Portal authentication, some user cannot reconnect after lock and unlock screen.

Latest reply: Mar 24, 2020 13:36:16 2132 12 8 0 0
View the author 1#

Hi all,

This is a case about portal authentication.

[Issue Description]

After enabling MAC address-prioritized Portal authentication, some users cannot reconnect after lock and unlock the screen.

[Analyze]

The root cause is that the SSID tpmpad that uses MAC address authentication is configured on the AC with local database. After the terminal is connected to this SSID, the terminal will remember it. After the terminal is locked and unlocked, the terminal connects to this SSID. But if the terminal does not have a local account, the authentication fails. After the authentication fails, the terminal will be silent for 60 seconds. In this case, the terminal cannot perform MAC address-prioritized Portal authentication.

[AC6605]dis mac-authen 

  MAC address authentication is Enabled.

  Username format: use MAC address without-hyphen as username

  Quiet period is 60s

  Authentication fail times before quiet is 1

  Offline detect period is 300s

  Server response timeout value is 120s

  Reauthenticate period is 1800s

  Guest user reauthenticate period is 60s

  Maximum users: 10240

  Current users: 0

//The global domain is not configured

#
interface Wlan-Ess10
port hybrid pvid vlan 10
port hybrid untagged vlan 10
mac-authen
permit-domain name test
force-domain name test
mac-authen username macaddress format with-hyphen password cipher %@%@_MK_U"UQ|S{:|5#m4M-QSjmJ%@%@
#
[AC6605]display  aaa  online-fail-record  mac-address xxxx-xxxx-xxxx
  ------------------------------------------------------------------------------
  Are you sure to display some information?(y/n)[y]:y
  ------------------------------------------------------------------------------
  User name               : xxxx-xxxx-xxxx
  Domain name             : test
  User MAC                : xxxx-xxxx-xxxx
  User access type        : MAC
  User access interface   : Wlan-Dbss10:190
  Qinq vlan/User vlan     : 0/10
  User IP address         : -
  User ID                 : 3191
  User login time         : 2018/10/10 10:48:09
  User online fail reason : Authenticate fail
  Authen reply message    : -

[Solution]
1. Other devices connect to SSID Test is not allowed, hide this SSID, so other device cannot search and connect to it. 
[AC6605-wlan-service-set-Test]dis this
#
  forward-mode tunnel
  wlan-ess 221
  ssid Test
  ssid-hide
#

2. For the devices that have ever connected to it, delete the SSID on the device. 

portal

Like (8) Dislike (0) Favorite(0) Share Report
Previous: WLAN AP and AC version mismatch troubleshooting
Next: help
(0) (0)
2#
GongXiaochuan
Created Oct 26, 2018 09:28:06

hide the SSID will resolved this issue , thank you for sharing

This post was last edited by GongXiaochuan at 2018-10-30 06:07.
View more
  • x
  • convention:
(0) (0)
3#
wanglei259
Created Oct 26, 2018 09:28:33

Thanks for your sharing ,which is a wonderful guidance, i really interested in this article, which is useful for us and improvement product technology and become to a professional engineer .
I hope that you can insist post new kownlege and skills, i will alawys keep an eye on your sharing.
View more
  • x
  • convention:
(0) (0)
4#
Mark.hu
Created Oct 26, 2018 09:28:43

I have encountered this question about you. I have checked a lot of information, but I still have not answered this question clearly. Thank you for sharing this knowledge and solving my doubts. I hope that you can continue to update such knowledge points. Thank you. !
View more
  • x
  • convention:
(0) (0)
5#
Torrent
Created Oct 26, 2018 09:28:44

why we need this kind of authentication, please check below:
To ensure network security, the enterprise needs to deploy an authentication system to implement access control for all the wireless users who attempt to connect to the enterprise network. Only authenticated users can connect to the enterprise network. Considering the mobility feature of a large number of STAs, the administrator decides to configure Portal authentication on the AC at Layer 3 network to control access. The requirements are as follows:
  • Users can access only public servers (such as the Portal server, RADIUS server, and DNS server) before passing authentication.
  • Users can access the Enterprise intranet (such as the issue tracking system) after passing authentication.

  • Enable MAC address-prioritized Portal authentication to allow users to connect to the wireless network without entering user names and passwords when they move in and out of the wireless coverage area repeatedly within a period (60 minutes for example).

    In MAC address-prioritized Portal authentication, when the Portal server needs to authenticate a user terminal, the device first sends the user terminal's MAC address to the Portal server for identity authentication. If the authentication fails, the Portal server pushes the Portal authentication page to the terminal. The user then enters the user name and password for authentication. The RADIUS server caches a terminal's MACaddress and associated SSID during the first authentication for the terminal. If the terminal is disconnected and then connected to the network within the MAC address validity period, the RADIUS server searches for the SSID and MAC address of the terminal in the cache to authenticate the terminal.

This post was last edited by Torrent at 2018-10-31 06:36.
View more
  • x
  • convention:

faysalji
faysalji Created Nov 27, 2018 05:44:22 (0) (0)
Thanks...  
(0) (0)
6#
lizhi94
Created Oct 26, 2018 09:35:49

example:

the sharing of technology enrichs my knowledge and the professional answer is totally right to bring me the new viewpoint.
at the sametime ,it is necessary for me to read the posts. within the posts cuting large amouts of fact meterials, which encourage me to be better.
one hand, i have aquired a large number of skills which is very useful for us and is interesting for us to remember it.
another hand, that a good post which is in network technology contains a lot of excellent experience.
thanks very much for your sharing. we are so happy for your next sharing like this.
View more
  • x
  • convention:
(0) (0)
7#
littlestone
Created Oct 26, 2018 09:37:51

The terms mirrored port, port mirroring, traffic mirroring, and mirroring in this manual are mentioned only to describe the product's function of communication error or failure detection, and do not involve collection or processing of any personal information or communication data of users This post was last edited by littlestone at 2018-10-31 05:48.
View more
  • x
  • convention:
(0) (0)
8#
yjhd
Created Oct 26, 2018 09:55:59

helpful
MAC address authentication is Enabled.

Username format: use MAC address without-hyphen as username

Quiet period is 60s

Authentication fail times before quiet is 1

Offline detect period is 300s

Server response timeout value is 120s

Reauthenticate period is 1800s

Guest user reauthenticate period is 60s

Maximum users: 10240

Current users: 0



Global domain is not configured
View more
  • x
  • convention:
(0) (0)
9#
Finn92
Created Oct 26, 2018 09:57:44

wow learned it how to hide ssid .

1. Other device connect to SSID Test is not allowed, hide this SSID, so other device cannot search and connect to it. 
[AC6605-wlan-service-set-Test]dis this
#
  forward-mode tunnel
  wlan-ess 221
  ssid Test
  ssid-hide

#
2. For the devices have ever connected to it, delete the SSID on the device. 
This post was last edited by Finn92 at 2018-10-31 09:17.
View more
  • x
  • convention:
(0) (0)
10#
faysalji
Author Created Nov 27, 2018 05:42:16

Another good case
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.