Step 1 Obtain authentication packet information from the AR511 using the third-party software.
The Radius authentication server sends the following authentication response packet to the client:
As shown in the preceding figure, the packet contains only the IP address mask, but does not contain the IP address.
Step 2 Log in to the AR511 to check whether the AR511 has a valid IP address.
Run the debugging aaa all command to enable all debugging functions of the AAA module.
<Huawei> debugging aaa all
2014 03:51:21.199.3+00:00 Huawei AAA/7/DEBUG:
[AAA ERROR]The corresponding ip is invalid or not configured.
The preceding information shows that the IP address is invalid. This indicates that the AR511 checks IP address validity after receiving authorization information from the server. If the IP address is invalid, the AR511 returns an authentication failure.
Huawei AR routers require that the Framed-IP-Netmask and Framed-IP-Address attributes must be used together. Therefore, to ensure successful authentication, the IP address and IP address mask must be configured together; otherwise, the packets returned by AR511 cannot contain Framed-IP-Netmask or Framed-IP-Address.
Step 3 The packet information obtained in Step 1 shows that the returned packet contains the Framed-IP-Netmask attribute. Run the following commands to prevent the AR511 from parsing the Framed-IP-Netmask attribute in the authorization packets returned by the server.
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute translate //Enable RADIUS attribute translation.
[Huawei-radius-test1] radius-attribute disable Framed-IP-Netmask receive //Disable the Framed-IP-Netmask attribute.
Step 4 Run the following command, and you can find that the user has gone online.
<Huawei> display access-user user-id 1099
User ID : 1099
User name : test011
Domain-name : 123
User MAC : 4487-fc40-f05b
User IP address : 220.127.116.11
User access Interface : Wlan-Bss1
QinQVlan/UserVlan : 0/100
User access time : 2014/09/20 10:05:39
User accounting session ID : Huawei000480000000066749df000017
User access type : WEB
AP ID : 0
AP name : ap-0
Radio ID : 0
AP MAC : 0a0b-0c00-0500
SSID : huawei111
Online time : 14(s)
Web-server IP address : 192.168.100.62
User authentication type : WEB authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
After the user enters the user name and password on the login page, the user can go online.