Users Fail Wireless Portal Authentication by the S12708 and Policy Center

Publication Date:  2015-11-03 Views:  709 Downloads:  0
Issue Description
Wireless Portal authentication is configured on the S12708 and Policy Center. The VPN instance XX is bound to VLANIF 256 of the switch for communication with the Portal server.

Authentication fails and no authentication records are displayed on the Portal server.

The configuration on the switch is as follows:

sysname Core_S12708 

set net-manager vpn-instance XX 

ip vpn-instance XX 
ipv4-family 
  route-distinguisher 65535:4 
  vpn-target 65535:4 export-extcommunity 
  vpn-target 65535:4 65535:3 65535:5 65535:6 65535:7 65535:8 65535:9 65535:10 import-extcommunity 
  vpn-target 65535:11 import-extcommunity 

radius-server template radius_huawei 
radius-server shared-key cipher %@%@MhYHRn'xG)G`2&)0kQb@w#B:%@%@ 
radius-server authentication 172.16.2.146 1812 vpn-instance XX source ip-address 10.66.1.1 weight 80 
radius-server accounting 172.16.2.146 1813 vpn-instance XX source ip-address 10.66.1.1 weight 80 
radius-server authorization 172.16.2.146 shared-key cipher %@%@>U:l~MJa=C8^U'9fmZ-4+q=4%@%@ 

url-template name urlTemplate_0 

web-auth-server huawei 
server-ip 172.16.2.146                   
port 50200 
shared-key cipher %@%@1s9zQui#nH`s%U47Ce~--%rA%@%@ 
url http://172.16.2.146:8080/portal 

aaa 
authentication-scheme default 
authentication-scheme radius_huawei 
  authentication-mode radius 
authorization-scheme default 
accounting-scheme default 
accounting-scheme radius_huawei 
  accounting-mode radius 
domain default 
  authentication-scheme radius_huawei 
  accounting-scheme radius_huawei         
  radius-server radius_huawei 
domain default_admin 

interface Vlanif256  
ip binding vpn-instance XX 
ip address 10.66.1.1 255.255.255.0 
#                                       

authentication free-rule 1 destination ip 172.16.2.146 mask 255.255.255.255 
#

WLAN configurations are omitted.

The configuration on the Policy Center is as follows:

User account setting:



Access device setting:



Authorization rule setting:

Handling Process
Step 1 Run the test-aaa command to test the authentication account on the switch. User authentication fails. Enable debugging of RADIUS packets on the switch. The switch receives a message with the error code 4117, indicating that account authorization fails.

<Core_S12708>test-aaa 123 Admin123 radius-template radius_huawei
<Core_S12708>
Error: User name or password is wrong.
<Core_S12708>
Apr 23 2015 13:30:25.115.1 Core_S12708 RDS/7/DEBUG:
RADIUS Sent a Packet.
<Core_S12708>
Apr 23 2015 13:30:25.115.2 Core_S12708 RDS/7/DEBUG:
Server Template: 0
Server IP   : 172.16.2.146
Protocol: Standard
Code    : 1
Len     : 156
ID      : 118
[User-Name                          ] [5 ] [123]
[CHAP-Password                      ] [19] [c1 45 ee 4e 8a 81 68 5e 5c bf 55 16 f7 18 2e e0 08 ]
[CHAP-Challenge                     ] [18] [a6 de 82 54 33 fb 6d 61 d8 75 2c 98 a3 e5 3f 6a ]
[Service-Type                       ] [6 ] [2]
[Framed-Protocol                    ] [6 ] [1]
[NAS-Identifier                     ] [13] [Core_S12708]
[NAS-Port-Type                      ] [6 ] [15]
[Acct-Session-Id                    ] [37] [Core_S1000000000000002dd550f3001055]
[NAS-IP-Address                     ] [6 ] [10.66.1.1]
<Core_S12708>
Apr 23 2015 13:30:25.145.1 Core_S12708 RDS/7/DEBUG:
RADIUS Received a Packet.
<Core_S12708>
Apr 23 2015 13:30:25.145.2 Core_S12708 RDS/7/DEBUG:
Server Template: 0
Server IP   : 172.16.2.146
Server Port : 1812
Protocol: Standard
Code    : 3
Len     : 34
ID      : 118
[Reply-Message                      ] [14] [ErrCode:4117]
<Core_S12708>

Step 2 Test the Portal authorization policy based on configuration requirement. Compare the policy reported to the RADIUS server and the preset customized condition for wireless access on the Policy Center. The result shows that the value of NAS-Port-Type in the preset customized condition is different from the value of [NAS-Port-Type] [6] [15] in reported packets. Delete the customized condition and run the test-aaa command again to test the account. The account passes the test, but users still fail the Portal authentication.



Step 3 Obtain packets on the Portal server. The analysis shows that the Portal server sends three Challenge requests to the switch but receives no response. The Portal server also sends logout request packets to the switch but receives no response. No RADIUS authentication request is initiated further. No relevant RADIUS authentication logs of this account are displayed on the Portal server. As a result, the switch configuration needs to be verified. 



Note: A relevant Portal plug-in needs to be installed to filter packets. If the Portal plug-in is not installed, you can filter packets as follows: Packets staring with 0201 and 0205 indicate REQ_CHALLENGE and REQ_LOGOUT packets respectively. 



Step 4 Verify relevant switch configuration. If the switch communicates with the Portal server through a VPN instance, check whether the VPN instance is bound to the Portal server template. If not, bind the VPN instance XX to the Portal server template and test the Portal authentication again. The authentication succeeds.


web-auth-server huawei 
server-ip 172.16.2.146                   
port 50200 
shared-key cipher %@%@1s9zQui#nH`s%U47Ce~--%rA%@%@ 
url http://172.16.2.146:8080/portal 
vpn-instance XX  
#
Root Cause
Account authentication and authorization fail because the configuration of the Portal server authorization template is incorrect.

The switch fails to respond to the server's Portal packets because no VPN instance is bound to the Portal server template.
Suggestions
Portal packet exchange process is as follows:



1. A Portal user initiates an authentication request using the HTTP protocol. The access device allows the HTTP packet destined for the Portal server or a preset free-of-charge website to pass through. The access device redirects the HTTP packet destined for other addresses to the Portal server. The Portal server pushes a web page for the user to enter the user name and password for authentication.

2. The Portal server exchanges information with the access device to implement CHAP authentication. If PAP is adopted, this step is omitted.

3. The Portal server assembles the user name and password entered by the user into an authentication request packet, sends the packet to the access device, and starts a timer to wait for an authentication reply packet.

4. The access device exchanges a RADIUS protocol packet with the RADIUS server.

5. The access device sends an authentication reply packet to the Portal server.

6. The Portal server sends an authentication success packet to the client to inform that the client authentication succeeds.

7. The Portal server sends an authentication reply acknowledgment packet to the access device.

8. The client exchanges security information with the Policy Center server. The Policy Center server checks whether antivirus software and unauthorized software are installed and whether the virus library and operating system patches are updated to verify the security of the access terminal.

9. The Policy Center server allows the user to access authorized resources based on the user security. The access device uses the authorization information that is stored in the device to control user access. 

Note: Steps 8 and 9 describe the extended Portal authentication function.

END