Got it

Troubleshooting Series Case 59 Wlan users portal authentication failure

804 0 0 0 0



Physical Network Topology

l  AP works normally.

l  Phones can be authenticated by the portal.

Figure 1-1 Portal authentication failure

171628in6hy85nr3vunukq.png

 

Fault Description

The phone can't be authenticated by the portal.

Configuration Files

#
 sysname CA02H2AC01-I2
#
portal local-server ip 192.168.10.1
portal local-server authentication-method pap
portal local-server https ssl-policy default_policy port 8443
#
vlan batch 100 200 900
#
dot1x quiet-period
dot1x quiet-times 5
dot1x timer quiet-period 300
dot1x timer tx-period 120
#
wlan ac-global country-code CA
wlan ac-global carrier id other ac id 1
#
portal free-rule 0 destination ip 192.168.10.1 mask 255.255.255.255
portal captive-bypass enable
#
radius-server template ICBCCAOTP
 radius-server shared-key cipher %^%#x:Dr$rxl{#!*&z;n3;}R(6%;-}r-NUt'GuT_!mjB%^%#
 radius-server authentication 123.80.3.6 1812 weight 80
 radius-server accounting 123.80.3.6 1813 weight 80
 undo radius-server user-name domain-included
 radius-attribute nas-ip 10.123.163.33
#
pki realm default
 enrollment self-signed
#
ssl policy default_policy type server
 pki-realm default
#
acl name wifiuser 3000  
 step 10
 rule 10 permit icmp 
 rule 20 permit tcp source 192.168.100.0 0.0.0.255 destination 192.168.10.1 0 destination-port eq 8443 
 rule 30 permit tcp source 192.168.200.0 0.0.0.255 destination 192.168.10.1 0 destination-port eq 8443 
#
aaa
 authentication-scheme default
 authentication-scheme ICBCWIFI
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 domain icbccawifi
  authentication-scheme ICBCWIFI
  radius-server ICBCCAOTP
 local-user admin password irreversible-cipher %^%#g+|*2NT:s#><s~7JA<#"TYIWGaqCXRnG-Q6otKeBy>TL=4YA#'dOL&X.UKIR%^%#
 local-user admin privilege level 15
 local-user admin service-type terminal ssh http
 local-user localadmin password irreversible-cipher %^%#k#cR%gR:1UFuhj#E>,89zCWD@|r1[.]D-g9)X<hGWiQQ~bw[DX\*)MAK}+;$%^%#
 local-user localadmin privilege level 15
 local-user localadmin service-type terminal ssh http
#
firewall zone wifiuser
 priority 3
#
firewall zone Local
 priority 16
#
firewall interzone Local wifiuser
 firewall enable
 packet-filter 3000 inbound
#

Troubleshooting Procedure

Step 1     Check whether ap works normally by using command display ap all. If the state is not, indicate the ap is normal.

171628vtpk9lzg8dzt8shx.png

Step 2     If the AP is normal, check whether the phone can connect the WIFI successfully.

We can check it on the AP, below is the example, it means the phone has connected to the WIFI.

171629z9bf9i3bvzb9jhej.png

Step 3     Input an HTTP URL to trigger the portal server authenticate, normally portal will be trigger by any HTTP packet which is 80

destination-port. Such as http://1.1.1.1, but in this case, it will not work.

Step 4     Checking the configuration under the portal interface. There is a firewall zone configured. We should check whether this

zone denied the HTTP packet.

Step 5     After checking the firewall configuration, we notice that the customer only allowed below traffic to come to AR device.

171629w4f0jpjxff40y0fg.png

There are two methods to solve the issue:

l  Allow any http packet in the ACL 3000

rule 40 permit tcp source any destination-port 80

l  Using URL https://192.168.10.1:8443/index.html to trigger the portal.

----End

Root Cause

The phone should input the correct portal-server URL to get the authentication page because there's a firewall configuration under the interface.

If you have any problems, please post them in our Community. We are happy to solve them for you!

  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.