AR1220-S Fails to Push the Portal Authentication Page

Publication Date:  2015-12-24 Views:  216 Downloads:  0
Issue Description
As shown in the following figure, AR1220-S is deployed on the network as the AC device in a branched mode. It controls and manages all the access devices on the entire network. Agile Controller functions as a Portal server to perform Portal authentication on access users. 



When users enter public network addresses and domain names to access networks, AR devices fail to push the authentication page. The authentication page is displayed only when users enter the push page address.

Configuration information of AC devices is shown as follows:

#
web-auth-server portal
server-ip 192.168.6.16
port 50100
shared-key cipher %^%#4R7w%QsKY9F#4DJUyq]V}$V-%^%#
url http://192.168.6.16:8080/portal
source-ip 192.168.11.1
Handling Process
Step1 Run the display version and display device commands to view the device version and card status. It is confirmed that the device version is ARV200R005 and the card installation status is normal.

Step2 Confirm the Portal authentication mode and the failure time. It is confirmed that user devices in the networking are authenticated in the Layer 3 Portal mode. After AC devices are configured, they fail to push the authentication page.

Step3 Enter the ipconfig command on a PC, and it is confirmed that the PC has obtained an IP address. Run the ping command, and it is confirmed that the PC can ping DNS server. Therefore, network connection faults are ruled out.

Step4 Run the display portal free-rule command to view the authentication-free rules of all the Portal authenticated users. It is confirmed that DNS server address has been added in the authentication-free rules, and the PC can access the DNS server.

Step5 Run the debugging web packet command to enable debugging for WEB module packets. The debugging result shows that HTTP packets used in Portal authentication in forwarding are not sent to the AC device, resulting in the authentication page push failure.

Step6 Run the tunnel-forward protocol http command to enable the tunnel forwarding function for HTTP packets. As a result, the problem is addressed.

----End
Root Cause
The tunnel forwarding function for HTTP packets is disabled. 
Solution
Enable the tunnel forwarding function for HTTP packets to solve the problem. 
Suggestions
HTTP packets used in Portal authentication are encapsulated into Layer 2 packets. When a client connects to an AC through a Layer 3 networking, such packets cannot be forwarded at Layer 3, resulting in the authentication failure. ARV200R005 and later versions support the authenticated packet forwarding function at Layer 3 and tunnel forwarding function for HTTP packets. If there is no fault in the Portal authentication configuration steps, it is recommended that users enable the tunnel forwarding function for HTTP packets. 

END