Users Fail Portal Authentication Through AR511

Publication Date:  2015-10-14 Views:  342 Downloads:  0
Issue Description
As shown in Figure 1-1, a user attempts to access the Internet through WiFi. When the user enters the user name and password on the login page, the web page displays an authentication failure.

Figure 1-1 User accesses the Internet through WiFi

Handling Process
Step 1 Obtain authentication packet information from the AR511 using the third-party software.

The Radius authentication server sends the following authentication response packet to the client:



As shown in the preceding figure, the packet contains only the IP address mask, but does not contain the IP address.

Step 2 Log in to the AR511 to check whether the AR511 has a valid IP address.

Run the debugging aaa all command to enable all debugging functions of the AAA module.
<Huawei> debugging aaa all
2014 03:51:21.199.3+00:00 Huawei AAA/7/DEBUG: 
[AAA ERROR]The corresponding ip is invalid or not configured.
The preceding information shows that the IP address is invalid. This indicates that the AR511 checks IP address validity after receiving authorization information from the server. If the IP address is invalid, the AR511 returns an authentication failure.
Huawei AR routers require that the Framed-IP-Netmask and Framed-IP-Address attributes must be used together. Therefore, to ensure successful authentication, the IP address and IP address mask must be configured together; otherwise, the packets returned by AR511 cannot contain Framed-IP-Netmask or Framed-IP-Address.

Step 3 The packet information obtained in Step 1 shows that the returned packet contains the Framed-IP-Netmask attribute. Run the following commands to prevent the AR511 from parsing the Framed-IP-Netmask attribute in the authorization packets returned by the server.

<Huawei> system-view
[Huawei] radius-server template test1
[Huawei-radius-test1] radius-server attribute translate    //Enable RADIUS attribute translation.
[Huawei-radius-test1] radius-attribute disable Framed-IP-Netmask receive    //Disable the Framed-IP-Netmask attribute.

Step 4 Run the following command, and you can find that the user has gone online.

<Huawei> display access-user user-id 1099

Basic:
  User ID                         : 1099
  User name                       : test011
  Domain-name                     : 123
  User MAC                        : 4487-fc40-f05b
  User IP address                 : 13.13.13.250
  User access Interface           : Wlan-Bss1
  QinQVlan/UserVlan               : 0/100
  User access time                : 2014/09/20 10:05:39
  User accounting session ID      : Huawei000480000000066749df000017 
  User access type                : WEB
  AP ID                           : 0
  AP name                         : ap-0
  Radio ID                        : 0
  AP MAC                          : 0a0b-0c00-0500
  SSID                            : huawei111
  Online time                     : 14(s)
  Web-server IP address           : 192.168.100.62

AAA:
  User authentication type        : WEB authentication
  Current authentication method   : RADIUS
  Current authorization method    : -
  Current accounting method       : RADIUS

After the user enters the user name and password on the login page, the user can go online.
Root Cause
Generally, a RADIUS server connects to multiple network devices, which may from one vendor or different vendors. If some vendors' devices request the RADIUS server to deliver an attribute to support a specified feature but other vendors' devices do not support the delivered attribute, the RADIUS attribute may fail to be parsed.
Solution
When an AR router is connected to a third-party Portal server and users fail authentication, you need to obtain packet information to check whether the AR router supports all the attributes in the packets returned by the server. If not, modify the configurations on the AR router to ensure successful user authentication.

END