Got it

Troubleshooting Series Case 59 Wlan users portal authentication failure

804 0 0 0 0

Physical Network Topology

l  AP works normally.

l  Phones can be authenticated by the portal.

Figure 1-1 Portal authentication failure



Fault Description

The phone can't be authenticated by the portal.

Configuration Files

 sysname CA02H2AC01-I2
portal local-server ip
portal local-server authentication-method pap
portal local-server https ssl-policy default_policy port 8443
vlan batch 100 200 900
dot1x quiet-period
dot1x quiet-times 5
dot1x timer quiet-period 300
dot1x timer tx-period 120
wlan ac-global country-code CA
wlan ac-global carrier id other ac id 1
portal free-rule 0 destination ip mask
portal captive-bypass enable
radius-server template ICBCCAOTP
 radius-server shared-key cipher %^%#x:Dr$rxl{#!*&z;n3;}R(6%;-}r-NUt'GuT_!mjB%^%#
 radius-server authentication 1812 weight 80
 radius-server accounting 1813 weight 80
 undo radius-server user-name domain-included
 radius-attribute nas-ip
pki realm default
 enrollment self-signed
ssl policy default_policy type server
 pki-realm default
acl name wifiuser 3000  
 step 10
 rule 10 permit icmp 
 rule 20 permit tcp source destination 0 destination-port eq 8443 
 rule 30 permit tcp source destination 0 destination-port eq 8443 
 authentication-scheme default
 authentication-scheme ICBCWIFI
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 domain icbccawifi
  authentication-scheme ICBCWIFI
  radius-server ICBCCAOTP
 local-user admin password irreversible-cipher %^%#g+|*2NT:s#><s~7JA<#"TYIWGaqCXRnG-Q6otKeBy>TL=4YA#'dOL&X.UKIR%^%#
 local-user admin privilege level 15
 local-user admin service-type terminal ssh http
 local-user localadmin password irreversible-cipher %^%#k#cR%gR:1UFuhj#E>,89zCWD@|r1[.]D-g9)X<hGWiQQ~bw[DX\*)MAK}+;$%^%#
 local-user localadmin privilege level 15
 local-user localadmin service-type terminal ssh http
firewall zone wifiuser
 priority 3
firewall zone Local
 priority 16
firewall interzone Local wifiuser
 firewall enable
 packet-filter 3000 inbound

Troubleshooting Procedure

Step 1     Check whether ap works normally by using command display ap all. If the state is not, indicate the ap is normal.


Step 2     If the AP is normal, check whether the phone can connect the WIFI successfully.

We can check it on the AP, below is the example, it means the phone has connected to the WIFI.


Step 3     Input an HTTP URL to trigger the portal server authenticate, normally portal will be trigger by any HTTP packet which is 80

destination-port. Such as, but in this case, it will not work.

Step 4     Checking the configuration under the portal interface. There is a firewall zone configured. We should check whether this

zone denied the HTTP packet.

Step 5     After checking the firewall configuration, we notice that the customer only allowed below traffic to come to AR device.


There are two methods to solve the issue:

l  Allow any http packet in the ACL 3000

rule 40 permit tcp source any destination-port 80

l  Using URL to trigger the portal.


Root Cause

The phone should input the correct portal-server URL to get the authentication page because there's a firewall configuration under the interface.

If you have any problems, please post them in our Community. We are happy to solve them for you!

  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.