Common Causes and Troubleshooting Methods for Login Failures

WLAN Troubleshooting Guide

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Common Causes and Troubleshooting Methods for Login Failures

Common causes for login failures include the network disconnection, disabled service, access policy blocking, and insufficient account permission. The following table lists typical troubleshooting cases.

Symptom	Troubleshooting Case
Failed to ping the IP address of the device.	Login Failure Due to Network Disconnection Login Failure Due to Management Plane Isolation
The IP address of the device can be pinged, but the login page cannot be displayed.	Login Failure Because Services Are Not Enabled Login Failure Due to ACL Policy Blocking Login Failure Due to Incorrect Configurations of Service Source Interfaces Login Failure Because Service Ports Are Blocked by a Firewall
The login page can be displayed, but the login fails.	Login Failure Due to Account Lockout Login Failure Due to Insufficient Account Permission Login Failure Because the Number of Concurrent Login Sessions Using an Account Reaches the Upper Limit

Symptom

Troubleshooting Case

Failed to ping the IP address of the device.

The IP address of the device can be pinged, but the login page cannot be displayed.

The login page can be displayed, but the login fails.

For more fault locating methods, see the following topics in the Maintenance Guide:

Troubleshooting: SSH Login Fails or Login Fails Through Telnet

Troubleshooting: Web Login Fails

Login Failure Due to Network Disconnection

Symptom

Failed to ping the IP address of a device.

Involved Products

AC and AP

Login Mode

Network port
Management SSID

Possible Causes

The network cable is loose or the management SSID fails to be associated.
The IP address of the STA is incorrect.

Troubleshooting Procedure

Check whether the physical connection between the STA and the device is correct.
- In network port login mode, check whether the network cable is loose.
- In management SSID login mode, check whether the association is successful.
Check whether the IP address of the network port on the STA is in the same network segment as the IP address of the device.
If the STA associates with a Fat AP through the management SSID, check whether the wireless network adapter of the STA can obtain a correct IP address.

Login Failure Due to Management Plane Isolation

Symptom

The IP address of the device cannot be pinged.

Involved Products

Login Mode

Network port

Possible Causes

Management plane isolation is configured, and the login through service network ports is not allowed.

Troubleshooting Procedure

Disable the management plane isolation function.

If an AC has a management network port, you can log in through the management network port.

By default, an AC with a management network port does not allow for the login through a service network port. To enable the login to the AC through service network ports, cancel this restriction by referring to methods described in the following table.

Method for Allowing the Login Through Service Network Ports	Description
Method 1: Configure a service network port as the management network port.	Run the management-interface command on the VLANIF interface corresponding to the service network port. A maximum of four VLANIF interfaces can be configured as management network ports.
Method 2: Disable the management plane isolation function globally.	Run the mgmt isolate disable command in the system view to disable management plane isolation globally to allow users to log in to the device through all service network ports. Considering potential security risks, this method is not recommended.

If an AC does not have a management network port, you can log in to it only through a service network port.

By default, an AC without a management network port allows for the login through service network ports. You can configure the VLANIF interface to which the target network port belongs as the management network port to restrict the login from other network ports, improving security.

Method for Allowing the Login Through Service Network Ports	Description
Method 1: Cancel the configurations of all management network ports.	Run the display current-configuration command to check the configuration file and delete all management-interface configurations. This condition is naturally met on an AC with factory defaults.
Method 2: Configure the target service network port as the management network port.	If the management-interface command is configured on a VLANIF interface, other VLANIF interfaces without this configuration cannot be used to log in to the device. Run the management-interface command on the VLANIF interface corresponding to the target service network port to log in to the AC. A maximum of four VLANIF interfaces can be configured as management network ports.

Login Failure Because Services Are Not Enabled

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

Network port
Management SSID

Possible Causes

Services are not enabled.

Troubleshooting Procedure

Check whether services are enabled and perform corresponding operations.

To log in to the device through STelnet, ensure that the STelnet service has been enabled on the device.
```
<Huawei> display ssh server status
...
 Stelnet server       :Enable  //Enable indicates that the STelnet service is enabled.
...
```
Product

How to Start the STelnet Service

AC

stelnet server enable (system view)

Fat AP

Cloud AP

Fit AP

undo stelnet server disable (AP system profile view) on the AC

Product	How to Start the STelnet Service
AC	stelnet server enable (system view)
Fat AP
Cloud AP
Fit AP	undo stelnet server disable (AP system profile view) on the AC

To log in to the device through Telnet, check whether the Telnet service is enabled.

<Huawei> display telnet server status
 TELNET IPV4 server   :Enable //Enable indicates that the Telnet service (IPv4) is enabled.
 TELNET IPV6 server   :Enable //Enable indicates that the Telnet service (IPv6) is enabled.
...

Product	How to Enable the Telnet Service
AC	telnet [ ipv6 ] server enable (system view)
Fat AP	telnet server enable (system view)
Cloud AP	telnet server enable (system view)
Fit AP	telnet enable (AP system profile view) on the AC

To log in to the device using a web browser, check whether the HTTPS/HTTP service is enabled.

<Huawei> display http server
  HTTP server status    : Enabled  (default: enable)  //Enabled indicates that the HTTP service is enabled.
...
  HTTPS server status   : Enabled  (default: enable)  //Enabled indicates that the HTTPS service is enabled.
...

Product	How to Enable the HTTP/HTTPS Service
AC	http server enable (system view) http secure-server enable (system view)
Fat AP
Cloud AP
Fit AP	This function is enabled by default and cannot be disabled.

Login Failure Due to ACL Policy Blocking

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

Network port
Management SSID

Possible Causes

The login protocol or IP address of the STA is blocked by an existing policy.

Troubleshooting Procedure

View the VTY configuration to check whether an ACL policy that restricts access exists or whether the specified protocol can be used for the login.

<AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
...
user-interface vty 0 4
 acl 3000 inbound        //Run the display acl 3000 command to check whether ACL 3000 is used to restrict access to the device.
 authentication-mode aaa
 protocol inbound ssh    //If the specified login protocol is not included, run the protocol inbound { all | ssh | telnet } command to enable it.
...
[AC-ui-vty0-4] display acl 3000      //Display the configuration of ACL 3000.
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 permit tcp destination 169.254.1.1 0   //This rule permits only the access to the destination address 169.254.1.1.
rule 6 deny tcp source-port eq 22             //This rule denies the access to the destination port 22.

Assume that you need to log in to the device with the IP address of 192.168.1.1 from the PC with the IP address of 192.168.1.100 through STelnet (port number: 22). To ensure successful login, ensure that ACL rules on the user interface allow for the assumed access.

[AC-ui-vty0-4] quit
[AC] acl 3000
[AC-acl-adv-3000] undo rule 5
[AC-acl-adv-3000] rule permit tcp source 192.168.1.100 0  //Permit the TCP access from the source IP address 192.168.1.100.
[AC-acl-adv-3000] rule permit tcp source-port eq 22       //Permit the TCP access from the source port 22.
[AC-acl-adv-3000] rule permit tcp destination 192.168.1.1 0  //Permit the TCP access to the destination IP address 192.168.1.1.
[AC-acl-adv-3000] rule permit tcp destination-port eq 22      //Permit the TCP access to the destination port 22.

Login Failure Due to Incorrect Configurations of Service Source Interfaces

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

Network port

Possible Causes

The service source interface configuration is inconsistent with the actual connection.

Troubleshooting Procedure

Log in to the device through the Bluetooth serial port or console port.
Check whether the STelnet, Telnet, HTTPS, and HTTP source interface configurations are consistent with the physical connections.
To prevent unauthorized logins, the AC and AP provide the source interface-based login mechanism. Only terminals with the specified source interfaces can log in to the device. To log in to the device through a physical network port, ensure that this port is within the range allowed by the policy. By default, all physical network ports can be used to log in to the device.

From V200R019C10, login security is further improved on the AC and Fat AP. The Layer 3 interface to which a network port belongs must be within the range allowed by the policy. For a device with a management network port (such as the AC6805), its management network is used as the Layer 3 source interface by default. For a device without a management network port (such as the AC6508), VLANIF 1 is used as the Layer 3 source interface by default.
- To log in to the device using STelnet, check whether the STelnet source interface configuration is consistent with the physical connection.
```
<Huawei> display current-configuration | include ssh server permit interface
ssh server permit interface GigabitEthernet0/0/4  //Physical network ports that are not displayed cannot be used for logging in to the device through STelnet. If this line is not displayed, any physical network ports can be used for the login.
<Huawei> display ssh server status
...
 SSH server source interface         :Vlanif1     //The Layer 3 source interface of the STelnet server is VLANIF 1.
```
  The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device through STelnet. To use STelnet to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the STelnet source interface configuration as follows:
```
<Huawei> system-view
[Huawei] ssh server permit interface GigabitEthernet 0/0/2
[Huawei] ssh server-source -i vlanif 100
Warning: This operation will lead to connection interruptions. Continue? [Y/N]y
```
- To log in to the device using Telnet, check whether the Telnet source interface configuration is consistent with the physical connection.
```
<Huawei> display current-configuration | include telnet server permit interface
telnet server permit interface GigabitEthernet0/0/4  //Physical network ports that are not displayed cannot be used for logging in to the device through Telnet. If this line is not displayed, any physical network ports can be used for the login.
<Huawei> display telnet server status
...
 TELNET server source interface      :Vlanif1     //The Layer 3 source interface of the Telnet server is VLANIF 1.
```
  The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device through Telnet. To use Telnet to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the Telnet source interface configuration as follows:
```
<Huawei> system-view
[Huawei] telnet server permit interface GigabitEthernet 0/0/2
[Huawei] telnet server-source -i vlanif 100
Warning: This operation will lead to connection interruptions. Continue? [Y/N]y
```
- To log in to the device using a web browser, check whether the HTTP/HTTPS source interface configuration is consistent with the physical connection.
```
<Huawei> display http server
...
  HTTP server permit interface : GigabitEthernet0/0/4   //The physical source interface of the HTTP/HTTPS server is GigabitEthernet0/0/4.
  HTTPS server source interface: Vlanif1                //The Layer 3 source interface of the HTTP/HTTPS server is VLANIF 1.
```
  The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device using a web browser. To use a web browser to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the HTTP/HTTPS source interface configuration as follows:
```
<Huawei> system-view
[Huawei] http server permit interface GigabitEthernet 0/0/2
Warning: This operation may affect the built-in Portal authentication and Portal escape function. Continue? (y/n)[n]:y
[Huawei] http secure-server server-source -i vlanif 100
Warning: This operation will lead to connection interruptions.Continue? [Y/N]y
```

Login Failure Because Service Ports Are Blocked by a Firewall

Symptom

The login page cannot be opened, but the device IP address can be pinged.

Involved Products

AC and AP

Login Mode

Network port

Possible Causes

Service ports are blocked by a firewall.

Troubleshooting Procedure

Log in to the device through the Bluetooth serial port or console port.
If a firewall exists between the PC and the device, check the firewall security policy and ensure that service ports are enabled.
To log in to the device through STelnet from the PC, ensure that the firewall security policy allows for TCP port 22-based communication between the source and destination IP addresses.

Communication Protocol

Basic Protocol

Common Port

STelnet

TCP

22

Telnet

TCP

23

HTTPS

TCP

443

HTTP

TCP

80

Communication Protocol	Basic Protocol	Common Port
STelnet	TCP	22
Telnet	TCP	23
HTTPS	TCP	443
HTTP	TCP	80

Login Failure Due to Account Lockout

Symptom

A login failure message is displayed.

Click to enlarge

Involved Products

AC, Fat AP, and cloud AP

Login Mode

Network port
Management SSID
Bluetooth serial port
Console port

Possible Causes

The account is locked because the number of consecutive login failures exceeds the threshold.
The account is manually locked.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01.

Query the status of the account that fails to log in.

<Huawei> display local-user username user01
...
  State                : block    //Account state. active indicates that the account is activated, and block indicates that the account is locked.
...

If the value of State is block, the account is locked. Run the following commands to activate the account:

<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user01 state active

Login Failure Due to Insufficient Account Permission

Symptom

A login failure message is displayed.

Click to enlarge

Involved Products

AC, Fat AP, and cloud AP

Login Mode

Network port
Management SSID
Bluetooth serial port
Console port

Possible Causes

The local account does not support the access type.

Troubleshooting Procedure

Assume that this problem occurs when the account user01 is used to log in to the device through a web browser.

Log in to the device using another account or method.
Query the access types supported by the account that fails to log in.
```
<Huawei> display local-user username user01
...
  Service-type-mask    : TS     //Access type. Common access types include A (all types), T (Telnet), S (STelnet), H (HTTP), and M (Console).
...
```
If Service-type-mask does not contain the specified access type, add the access type as required.
```
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user01 service-type http
```
The common command format is local-user username service-type { ssh | telnet | http | terminal }, where terminal indicates the console login mode.

Login Failure Because the Number of Concurrent Login Sessions Using an Account Reaches the Upper Limit

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

Network port
Management SSID
Bluetooth serial port
Console port

Possible Causes

The number of concurrent logins reaches the upper limit.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01.

Log in to the device using another account or method.
Query detailed information about the account that fails to log in, and then handle the problem accordingly.
```
<Huawei> display local-user username user01
...
  Access-limit         : Yes    //Whether to limit the number of access accounts.
  Access-limit-max     : 3    //Maximum number of access accounts.
  Accessed-num         : 3    //Current number of access accounts.
...
```
If the value of Access-limit is Yes, the number of access sessions using an account is limited. When the number of access sessions using an account reaches the upper limit, the account cannot be used to log in to new sessions.

You can run the following commands to change the maximum number of sessions allowed for an account so that the account can be used to log in to more sessions.
```
<Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user01 access-limit 4
```

Translation

简体中文

Download

Updated: 2023-06-02

Document ID: EDOC1000060368

Downloads: 5824

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Login Failure Due to Network Disconnection

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Due to Management Plane Isolation

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Because Services Are Not Enabled

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Due to ACL Policy Blocking

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Due to Incorrect Configurations of Service Source Interfaces

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Because Service Ports Are Blocked by a Firewall

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Due to Account Lockout

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Due to Insufficient Account Permission

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Login Failure Because the Number of Concurrent Login Sessions Using an Account Reaches the Upper Limit

Symptom

Involved Products

Login Mode

Possible Causes

Troubleshooting Procedure

Related Version

Related Documents

Digital Signature File