Common HTTP-based External Portal Authentication Failures

WLAN Troubleshooting Guide (V200)

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Common HTTP-based External Portal Authentication Failures

After a User Enters the Account and Password on the Portal Page, the Device Login URL Is Not Displayed or an Incorrect Device Login URL Is Displayed
After a User Enters the Account and Password on the Portal Page, the Page Is Redirected to the Device Login URL, but a Timeout Message Is Displayed
The Device Login URL Is Displayed, but a Security Alarm Is Displayed
The Device Login URL Is Displayed, but the Authentication Fails

After a User Enters the Account and Password on the Portal Page, the Device Login URL Is Not Displayed or an Incorrect Device Login URL Is Displayed

Symptom

The Cisco ISE server and Aruba ClearPass server are used as an example.

Cisco ISE server: A user enters the user name and password on the Portal authentication page and clicks Sign On. After the user clicks Continue, the success page is displayed, but the device login URL is not displayed. In this case, check the user status on the device. The user is still in Pre-authen state.
Aruba ClearPass server: After a user enters the user name and password on the Portal authentication page and clicks Log In, the URL https://12.12.12.76:8080/login is displayed, which is not the correct device login URL.

Possible Causes

If the device login URL is not displayed, the Portal server does not know the device login URL as the device login URL is not configured.
If an incorrect device login URL is displayed, the device login URL is incorrectly configured.

Solution

The configuration method for the device login URL varies depending on the Portal server. In most cases, the following two methods are available:

Method 1: Configure the device login URL on the Portal server.
This method applies to the Aruba ClearPass server. Other servers need the server-side support. The following uses the Aruba ClearPass server as an example.
1. Log in to the Aruba ClearPass server.
  1. Open a browser and enter the access address of the Aruba ClearPass server in the address box, which is in the format of https://Aruba ClearPass IP. Aruba ClearPass IP indicates the IP address of the Aruba ClearPass server. Press Enter.
  2. Click ClearPass Guest.
  3. On the displayed page, enter the user name and password to log in to the Aruba ClearPass server.
2. Configure the authentication page.
  Choose Configuration > Pages > Web Logins, select the created network login page, and click Edit. On the page that is displayed, set the device login URL in Submit URL.
Method 2: Set the URL for logging in to the device.
The Cisco ISE server supports the device login URL configuration by setting the URL parameter on the device.

Configure the parameter login-url in the URL template.
```
[HUAWEI] url-template name url_test
[HUAWEI-url-template-url_test] url-parameter login-url switch_url https://12.12.12.76:8443/login
```
The device login URL is in the format of http(s)://ip:port/login. The protocol type and port number are determined by the portal web-authen-server command. The IP address can be any local IP address of the AC. Subsequently, you need to configure the authentication-free rule for this IP address and ensure that the STA can communicate with this IP address.

Enable Portal interconnection of the HTTP or HTTPS protocol.
```
[HUAWEI] portal web-authen-server https ssl-policy default_policy port 8443  //Set the protocol to HTTPS and the port number to 8443.
```
```
[HUAWEI] portal web-authen-server http port 8000  //Set the protocol to HTTP and the port number to 8000.
```

After a User Enters the Account and Password on the Portal Page, the Page Is Redirected to the Device Login URL, but a Timeout Message Is Displayed

After a user enters the user name and password on the Portal authentication page, the device login URL is displayed, but the system displays a message indicating that the website cannot be accessed, with a message "ERR_CONNECTION_TIMED_OUT".

The cause for this problem is that the STA cannot access the login device URL. Perform the following steps to locate the fault:

Check whether the device is configured with an authentication-free rule for the IP address corresponding to the device login URL.
When a STA accesses the device login URL, the STA has not been authenticated. Therefore, the IP address corresponding to the device login URL needs to be bypassed in the authentication-free rule.
Check whether the route between the STA and the device login URL is reachable.
Ping the IP address corresponding to the device login URL from the STA gateway to check whether the route is reachable. If not, check the route configuration.

The Device Login URL Is Displayed, but a Security Alarm Is Displayed

After a user enters the user name and password on the Portal authentication page, the device login URL is displayed, but a security alarm is displayed, indicating that your connection is not private.

The cause for this problem is that the device is configured with HTTPS-based Portal interconnection and uses the preset certificate instead of the certificate issued by an authorized organization. As a result, the browser detects that the device certificate is invalid. You can use either of the following methods:

Configure HTTP-based Portal interconnection.
Purchase a valid certificate and import it to the device. Configure the login URL device as a domain name but not an IP address. In addition, ensure that the DNS server can resolve the domain name of the device login URL. For details about how to import a certificate, see The "Connect to Wi-Fi" Page Is Always Displayed on the Chrome Browser.

The Device Login URL Is Displayed, but the Authentication Fails

The STA Uses the Get Mode for URL Submission, but the Device Does Not Support This Mode

Run the debugging web all command. The command output shows that the GET request from the STA is received, and the message "Http method is GET, but web server config not permit GET: web server index[1], permit get flag[0]." is displayed.

[AC6605_8_76]
Nov 30 2020 11:08:55.673.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web receive http msg.
[AC6605_8_76]
Nov 30 2020 11:08:55.673.2+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web http msg accept.
[AC6605_8_76]
Nov 30 2020 11:08:55.673.3+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt]  Src:User Event:Accept HTTP connect(IP:200.1.1.64 , PORT:49691 , RequestId:1119302816.)
[AC6605_8_76]
Nov 30 2020 11:08:55.673.4+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] [WEB RecvHttp] Userip = 200.1.1.64,UserVrf = 0.
[AC6605_8_76]
Nov 30 2020 11:08:55.673.5+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Method:GET
[AC6605_8_76]
Nov 30 2020 11:08:55.673.6+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  HTTP Version:HTTP/1.1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.7+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Http Version:HTTP/1.1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.8+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1119302816, Field:Content-Length, ret:1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.9+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1119302816, Field:If-Modified-Since, ret:1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.10+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1119302816, Field:Cookie, ret:1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.11+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1119302816, Field:Referer, ret:1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.12+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1119302816, Field:Host, ret:1
[AC6605_8_76]
Nov 30 2020 11:08:55.673.13+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Find Sta Mac By Ip(0xc8010140) From AC Snooping Table!
[AC6605_8_76]
Nov 30 2020 11:08:55.673.14+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Get Sta Info(IfIndex = 2466349056, StaVlan = 200, CeVLAN = 0, MAC = 5cd9-98bc-034c) By Ip(0xc8010140) Success!
[AC6605_8_76]
Nov 30 2020 11:08:55.673.15+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user access L3IfIndex[38] by vlan[200]
[AC6605_8_76]
Nov 30 2020 11:08:55.673.16+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get receive ifindex[2466349056].
[AC6605_8_76]
Nov 30 2020 11:08:55.673.17+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user ifindex[2466349056], L3IfIndex[38], VID[200].
[AC6605_8_76]
Nov 30 2020 11:08:55.673.18+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] [WEB Get Server Index By IfIndex] IfIndex is 38, L2IfIndex is 2466349056.
[AC6605_8_76]
Nov 30 2020 11:08:55.673.19+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] [WEB Get Server Index By IfIndex] Server Index is 1, User IfIndex is 2466349056.
[AC6605_8_76]
Nov 30 2020 11:08:55.673.20+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] Http method is GET, but web server config not permit GET: web server index[1], permit get flag[0].
[AC6605_8_76]
Nov 30 2020 11:08:55.683.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] Get body fail.

The cause for this problem is that the STA submits the user name and password to the device in GET mode. However, the device is enabled only with the HTTP POST mode by default, which is also recommended as The HTTP GET mode may cause password leakage.

Enable the function of allowing user name and password information submission to the device in GET mode in the Portal server template.

[HUAWEI] web-auth-server portal_test
[HUAWEI-web-auth-server-portal_test] http get-method enable

The User Name or password Is Not Carried in the User Name or Password Request Submitted by a STA, or the Identification Keywords of the User Name and Password Do Not Match

Run the debugging web all command. The command output shows that the GET request from the STA is received, and the message "[WEB HTTP SendAuthMsg] No user name[]." or "[WEB HTTP SendAuthMsg] No password." is displayed.

[AC6605_8_76]
Dec 01 2020 14:13:37.71.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web receive http msg.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.2+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web http msg accept.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.3+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt]  Src:User Event:Accept HTTP connect(IP:200.1.1.64 , PORT:56870 , RequestId:1093830080.)
[AC6605_8_76]
Dec 01 2020 14:13:37.71.4+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] [WEB RecvHttp] Userip = 200.1.1.64,UserVrf = 0.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.5+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Method:GET
[AC6605_8_76]
Dec 01 2020 14:13:37.71.6+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  HTTP Version:HTTP/1.1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.7+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Http Version:HTTP/1.1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.8+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1093830080, Field:Content-Length, ret:1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.9+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1093830080, Field:If-Modified-Since, ret:1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.10+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1093830080, Field:Cookie, ret:1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.11+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1093830080, Field:Referer, ret:1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.12+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:1093830080, Field:Host, ret:1
[AC6605_8_76]
Dec 01 2020 14:13:37.71.13+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Find Sta Mac By Ip(0xc8010140) From AC Snooping Table!
[AC6605_8_76]
Dec 01 2020 14:13:37.71.14+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Get Sta Info(IfIndex = 2466349057, StaVlan = 200, CeVLAN = 0, MAC = 5cd9-98bc-034c) By Ip(0xc8010140) Success!
[AC6605_8_76]
Dec 01 2020 14:13:37.71.15+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user access L3IfIndex[38] by vlan[200]
[AC6605_8_76]
Dec 01 2020 14:13:37.71.16+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get receive ifindex[2466349057].
[AC6605_8_76]
Dec 01 2020 14:13:37.71.17+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user ifindex[2466349057], L3IfIndex[38], VID[200].
[AC6605_8_76]
Dec 01 2020 14:13:37.71.18+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] [WEB Get Server Index By IfIndex] IfIndex is 38, L2IfIndex is 2466349057.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.19+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] [WEB Get Server Index By IfIndex] Server Index is 1, User IfIndex is 2466349057.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.20+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Read get info: read length[146].
[AC6605_8_76]
Dec 01 2020 14:13:37.71.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] Str[] invalid.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.2+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Decode request info: CMD[login], user name[], MAC[0000-0000-0000], IP[0.0.0.0], URL[].
[AC6605_8_76]
Dec 01 2020 14:13:37.71.3+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] [WEB HTTP SendAuthMsg] No user name[].
[AC6605_8_76]
Dec 01 2020 14:13:37.71.4+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] Send Auth Msg Fail, Stop Proc LoginReq.
[AC6605_8_76]
Dec 01 2020 14:13:37.71.5+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] Decode request info fail.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web receive http msg.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.2+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web http msg accept.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.3+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt]  Src:User Event:Accept HTTP connect(IP:200.1.1.64 , PORT:57230 , RequestId:669981044.)
[AC6605_8_76]
Dec 01 2020 14:43:55.366.4+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] [WEB RecvHttp] Userip = 200.1.1.64,UserVrf = 0.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.5+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Method:GET
[AC6605_8_76]
Dec 01 2020 14:43:55.366.6+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  HTTP Version:HTTP/1.1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.7+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Http Version:HTTP/1.1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.8+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669981044, Field:Content-Length, ret:1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.9+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669981044, Field:If-Modified-Since, ret:1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.10+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669981044, Field:Cookie, ret:1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.11+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669981044, Field:Referer, ret:1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.12+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669981044, Field:Host, ret:1
[AC6605_8_76]
Dec 01 2020 14:43:55.366.13+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Find Sta Mac By Ip(0xc8010140) From AC Snooping Table!
[AC6605_8_76]
Dec 01 2020 14:43:55.366.14+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Get Sta Info(IfIndex = 2466349057, StaVlan = 200, CeVLAN = 0, MAC = 5cd9-98bc-034c) By Ip(0xc8010140) Success!
[AC6605_8_76]
Dec 01 2020 14:43:55.366.15+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user access L3IfIndex[38] by vlan[200]
[AC6605_8_76]
Dec 01 2020 14:43:55.366.16+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get receive ifindex[2466349057].
[AC6605_8_76]
Dec 01 2020 14:43:55.366.17+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user ifindex[2466349057], L3IfIndex[38], VID[200].
[AC6605_8_76]
Dec 01 2020 14:43:55.366.18+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] [WEB Get Server Index By IfIndex] IfIndex is 38, L2IfIndex is 2466349057.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.19+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] [WEB Get Server Index By IfIndex] Server Index is 1, User IfIndex is 2466349057.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.20+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Read get info: read length[140].
[AC6605_8_76]
Dec 01 2020 14:43:55.366.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] Str[] invalid.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.2+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Decode request info: CMD[login], user name[test], MAC[0000-0000-0000], IP[0.0.0.0], URL[].
[AC6605_8_76]
Dec 01 2020 14:43:55.366.3+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] [WEB HTTP SendAuthMsg] No password.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.4+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] Send Auth Msg Fail, Stop Proc LoginReq.
[AC6605_8_76]
Dec 01 2020 14:43:55.366.5+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] Decode request info fail.

When a STA submits the user name and password to the device in POST or GET mode, the user name and password must both be carried, and the identification keywords of the user name and password must be the same as those configured on the device.

When the STA submits the user name and password to the device in GET mode, the user name and password are displayed in the URL, as shown in the following figure.

If the device login URL uses the HTTP protocol, obtain packets on the STA to confirm the user name and password submitted to the device.

When the STA submits the user name and password to the device in POST mode, if the device login URL uses the HTTP protocol, obtain packets on the STA to confirm the user name and password submitted to the device.

In the preceding example, the identification keywords for the user name and password are username and password, respectively. If no user name or password is available, confirm the root cause on the Portal server. If the user name or password identification keyword is inconsistent with that on the device, change them on the Portal server or on the device. The configuration method is as follows:
- Change the user name and password identification keywords on the Portal server.
  The following uses the Aruba ClearPass server as an example. (Other servers need the server-side support.)
  1. Log in to the Aruba ClearPass server.
    1. Open a browser and enter the access address of the Aruba ClearPass server in the address box, which is in the format of https://Aruba ClearPass IP. Aruba ClearPass IP indicates the IP address of the Aruba ClearPass server. Press Enter.
    2. Click ClearPass Guest.
    3. On the displayed page, enter the user name and password to log in to the Aruba ClearPass server.
  2. Configure the authentication page.
    Choose Configuration > Pages > Web Logins, select the created network login page, and click Edit. On the page that is displayed, set the user name and password identification keywords in Username Field and Password Field, respectively.
- Change the user name and password identification keywords on the device.
  Configure parameters for POST/GET request packets of the HTTP or HTTPS protocol in the Portal server template.
  
  By default, the identification keywords for the user name and password are username and password, respectively.
```
[HUAWEI] web-auth-server portal_test
[HUAWEI-web-auth-server-portal_test] http-method post username-key username password-key password
```

The RADIUS Server Returns an Access-Reject Packet

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. The User online fail reason field displays Radius authentication reject.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32846
User login time         : 2020/10/19 14:53:22
User online fail reason : Radius authentication reject
Authen reply message    : ErrorReason is Incorrect user na...
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

Based on the service diagnosis function, trace the authentication process of the STA. It is found that the RADIUS server responds with an Access-Reject packet.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication reject packet from radius server(server ip = 10.10.10.1).
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 10.10.10.1
Server Port : 1812
Protocol: Standard
Code    : 3
Len     : 176
ID      : 80
[EAP-Message                        ] [6 ] [04 22 00 04 ]
[State                              ] [16] [\001u?\237\372O]
[Reply-Message                      ] [116] [ErrorReason is Incorrect user name or password or Incorrect dataSource or Incorrect access device key.ErrCode:4101]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:Send authentication reject message to AAA.
[BTRACE][2020/10/19 14:53:23][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENREJECT message(51) from RADIUS module(235).

There are various causes for this problem, for example, the user name or password is incorrect, or the authorization policy fails to be matched. You can locate the root cause by checking server logs and adjust the server, terminal, or device configuration.

The RADIUS Server Does Not Respond

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. In the command output, User online fail reason displays The radius server is up but has no reply or The radius server is not reachable.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32861
User login time         : 2020/10/19 17:01:02
User online fail reason : The radius server is up but has no reply
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32865
User login time         : 2020/10/19 20:43:21
User online fail reason : The radius server is not reachable
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

Based on the service diagnosis function, trace the authentication process of the STA. It is found that the RADIUS server does not respond.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
CID:51  TemplateNo:4  SerialNo:62
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.10.10.1 Vrf:0
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:Radius server is up but no response.
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:8,reason is:Radius server is up but no response.
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
CID:55  TemplateNo:4  SerialNo:69
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.10.10.1 Vrf:0
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:Radius authentication has no response.
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:7,reason is:Radius authentication has no response.

Troubleshoot the fault as follows:

Check whether the device IP address is correctly added to the RADIUS server.
If not, add the correct IP address of the device to the RADIUS server.
If the IP address of the device is correctly added to the RADIUS server, check whether the IP address of the device is the same as the source IP address of RADIUS authentication request packets sent by the device.
You can run the corresponding command to configure the source IP address of RADIUS authentication request packets sent by the device. If the source IP address is not configured using the command, the IP address of the outbound interface in the route is used. If the IP address of the device added to the RADIUS server is the same as the IP address of the outbound interface in the route, you do not need to configure the source IP address for communicating with the RADIUS server on the device. If they are not the same, run the corresponding command to configure the source IP address.
1. Search the routing table for the outbound interface based on the IP address of the RADIUS server, and then determine the IP address based on the outbound interface. If the IP address of the device added to the RADIUS server is the same as the IP address of the outbound interface in the route, you do not need to run the command to configure the source IP address for communicating with the RADIUS server.
```
[HUAWEI] display ip routing-table 10.10.10.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto  Pre Cost Flags NextHop     Interface
10.10.10.0/24     Direct 0   0     D     10.10.10.76   Vlanif12
[HUAWEI] interface Vlanif 12
[HUAWEI-Vlanif12] display this
#
interface Vlanif12
 ip address 10.10.10.76 255.255.255.0
#
```
2. If the IP address of the device added to the RADIUS server is different from the IP address of the outbound interface in the route, configure the source IP address for communicating with the RADIUS server on the device. The source IP address can be configured globally or in a RADIUS server template. The source IP address configured in a RADIUS server template takes precedence over that configured globally.
  If wireless configuration synchronization is enabled in a VRRP HSB scenario, you can configure the source IP address for communicating with the RADIUS server only in the system view. In a single-device scenario, you are advised to configure the source IP address in the RADIUS server template.
  
  Query the source IP address configured on the device for communicating with the RADIUS server.
  1. Check whether the source IP address for communicating with the RADIUS server is configured globally.
```
[HUAWEI] display radius-server configuration
------------------------------------------------------
Global:
 Radius Server Source IP Address           : -
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
------------------------------------------------------
[HUAWEI] display radius-server configuration
------------------------------------------------------
Global:
 Radius Server Source IP Address           : 100.1.1.1
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
------------------------------------------------------
```
    If Radius Server Source IP Address displays -, no source IP address is configured globally. If a specific IP address is displayed, the source IP address is configured globally.
  2. Check whether the source IP address for communicating with the RADIUS server is configured in the RADIUS server template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] display this
#
radius-server template radius_test
 radius-server shared-key cipher %^%#x\[y<Fe^2Dee<5/L>B5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 10.10.10.1 1812 source ip-address 100.1.1.1 weight 80
 radius-server accounting 10.10.10.1 1813 source ip-address 100.1.1.1 weight 80
#
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] display this
#
radius-server template radius_test
 radius-server shared-key cipher %^%#x\[y<Fe^2Dee<5/L>B5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 10.10.10.1 1812 source Vlanif 100 weight 80
 radius-server accounting 10.10.10.1 1813 source Vlanif 100 weight 80
```
    If source ip-address or source Vlanif is displayed next to the authentication or accounting server in the RADIUS server template, the source IP address is configured in the RADIUS server template.
  Configure the source IP address for communicating with the RADIUS server.
  1. Configure the source address for communicating with the RADIUS server in the system view.
```
[HUAWEI] radius-server source ip-address 100.1.1.1
```
  2. Configure the source IP address for communicating with the RADIUS server in the RADIUS template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server authentication 10.10.10.1 1812 source ip-address 100.1.1.1
```
Check whether the link between the device and RADIUS server is normal.
1. Ping the server from the specified source IP address on the device to check whether the route is reachable.
```
[HUAWEI] ping -a 10.10.10.76 10.10.10.1
```
2. Obtain packets on the device and server to check whether authentication packets are sent and received normally. The common problem is that a firewall on the intermediate network does not permit RADIUS packets (default authentication port: 1812).

Check whether the RADIUS server status is normal. If STState does not display STState-up, the RADIUS server status is abnormal.

[HUAWEI] display radius-server item template radius_test
---------------------------------------------------------------
  STState    = STState-up
  STChgTime  = -
  Type       = auth-server
  State      = state-up
  AlarmFlag  = false
  STUseNum   = 1
  IPAddress  = 10.10.10.76
  AlarmTimer = 0xffffffff
  Head       = 10274
  Tail       = 10273
  ProbeID    = 255
 --------------------------------------------------------------

Check whether the shared key configured on the device is the same as that on the RADIUS server. You can run the test-aaa command and enable RADIUS debugging. If Authenticator error is displayed in the debugging information, the shared keys configured on the device and RADIUS server are inconsistent. In this case, change the shared keys on the device and RADIUS server to be the same.
```
[HUAWEI] test-aaa test test radius-template radius_test
[HUAWEI]
Oct 24 2020 15:57:49.591.1+08:00 AC6605_129_76 RDS/7/DEBUG:
RADIUS packet: IN (TotalLen=20)
Len 1 ~ 20:
02 08 00 14 F6 DA 06 57 40 25 32 2A A9 70 6E FD
46 F6 B1 25
[HUAWEI]
Oct 24 2020 15:57:49.591.2+08:00 AC6605_129_76 RDS/7/DEBUG:
[RDS(Err):] Receive a illegal packet(Authenticator error), please check share key config.(ip:10.10.10.1 port:1812)
```
You can configure a shared key for a specified RADIUS server in the system view or in the RADIUS server template view. The shared key configured in the system view takes precedence over that configured in the RADIUS server template view.

You are advised to configure the shared key in the RADIUS server template. If the shared key is configured in both the system and template, you are advised to delete the global configuration and retain only the configuration in the template.

Configure a shared key in the RADIUS server template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server shared-key cipher huawei@123
```
Configure a shared key of the RADIUS server globally.
```
[HUAWEI] radius-server ip-address 10.10.10.1 shared-key cipher huawei@123
```

RADIUS Authorization Data Check Fails

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. In the command output, the User online fail reason field displays Authorization data error.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domaintest
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32873
User login time         : 2020/10/24 16:32:34
User online fail reason : Authorization data error
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

The cause is that the RADIUS server grants related permissions (such as VLAN or ACL) but the corresponding authorization content is not configured on the device. For example, the authorization VLAN or authorization ACL is not created.

Use the service diagnosis function to trace the online authentication process of the terminal user. The authorization content delivered by the RADIUS server is displayed.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable

Authorization VLAN check failure

[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication accept packet from radius server(server ip = 12.12.12.1).
[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 12.12.12.1
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 194
ID      : 194
[Tunnel-Type                        ] [6 ] [13]
[Tunnel-Medium-Type                 ] [6 ] [6]
[Tunnel-Private-Group-ID            ] [6 ] [201]
[EAP-Message                        ] [6 ] [03 4a 00 04 ]
[State                              ] [16] [\001uY\311\025N]
[MS-MPPE-Send-Key                   ] [52] [fb a1 e9 55 16 62 a3 e5 da 35 fc ce 3e 8f ae 7d ac 0a d6 0b 20 59 ad 82 a8 66 88 06 6a 81 10 82 61 95 2e cf 44 50 c0 79 e5 3f a4 32 43 45 a5 9e 2b c4 ]
[MS-MPPE-Recv-Key                   ] [52] [fb a1 e9 65 b1 18 6d 60 8f 0a ed af 53 1e 26 8a e6 18 9d 26 8c 21 c8 4f c2 8a 6a d5 a8 85 8a 9d ba d8 be 8d 97 b8 b8 d3 24 04 21 23 90 71 33 35 f4 6b ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 16:48:14][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
CID:57  TemplateNo:4  SerialNo:73
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:12.12.12.1 Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[0.0.0.0, 0.0.0.0]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:13 MediumType:6 PrivateGroupID:201
WlanReasonCode:0
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check authen ack, check VLANID error!
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 16:48:14][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.

Precautions for authorization VLANs:

For the authorization VLAN, several RADIUS attributes need to be delivered. The RADIUS No. 64 attribute (Tunnel-Type) needs to be delivered f. The value is fixed at 13, indicating the VLAN protocol. The RADIUS No. 65 attribute Tunnel-Medium-Type has a fixed value of 6, indicating the Ethernet type. The RADIUS No. 81 attribute is Tunnel-Private-Group-ID. Authorization can be performed based on the VLAN ID, VLAN description, VLAN name, and VLAN pool. The order in which authorization takes effect is as follows: VLAN ID > VLAN description > VLAN name > VLAN pool.

Authorization ACL check failure

Received a authentication accept packet from radius server(server ip = 12.12.12.1).
[BTRACE][2020/10/24 16:52:19][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 12.12.12.1
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 182
ID      : 205
[Filter-Id                          ] [6 ] [3000]
[EAP-Message                        ] [6 ] [03 4c 00 04 ]
[State                              ] [16] [\001uY\314\321\003]
[MS-MPPE-Send-Key                   ] [52] [bd ce 7f 1d bf 78 33 d4 6c 45 d8 d0 1b f7 ee d2 02 16 7a ac fd 62 25 88 f7 84 7a 22 44 d8 01 8a 99 a3 33 66 7d 47 e9 a7 ed 88 d5 01 f8 62 4f 9d cd 56 ]
[MS-MPPE-Recv-Key                   ] [52] [bd ce 7f 54 6f 27 35 d1 01 5c f1 5e aa e8 27 91 c7 8b 89 2f 06 8f ac 46 13 5c 92 78 ec cf 39 aa dc bb f8 ff b1 b8 5c 42 6b f8 ca 80 76 b1 e8 35 c9 ed ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 16:52:19][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
CID:58  TemplateNo:4  SerialNo:75
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:12.12.12.1 Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[0.0.0.0, 0.0.0.0]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:0 MediumType:0 PrivateGroupID:
ACLID:3000
WlanReasonCode:0
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check radius authen ack, check acl error!
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.

Precautions for authorization ACL: In wireless scenarios, the authorization ACL ID ranges from 3000 to 3031, and the maximum value of rule id in the ACL is 64.

Troubleshoot the fault as follows:

Check whether the corresponding authorization is required.
- If authorization is required, create authorization contents on the device. For example, you need to create the corresponding VLAN on the device for authorization VLAN and create the corresponding ACL for authorization ACL and configure the corresponding rules in the ACL.
- If authorization is not required, you can modify the authorization policy on the RADIUS server to delete the corresponding authorization content. You can also run the following command to configure the device to ignore the corresponding authorization content:
  Ignore the authorization VLAN.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Tunnel-Private-Group-ID receive
```
  Ignore the authorization ACL.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Filter-Id receive
```

NAT Is Deployed Between the Device and STA

Run the debugging web all command. The command output shows that the device has received HTTP request packets from the STA, but the source IP address of packets is not the actual IP address of the STA. The message "[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Can't Find Sta Mac By Ip(0xc0c0c4b) From AC Snooping Table!" is displayed.

<AC6605_8_76>
Dec 01 2020 17:33:14.947.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web receive http msg.
<AC6605_8_76>
Dec 01 2020 17:33:14.947.2+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Web http msg accept.
<AC6605_8_76>
Dec 01 2020 17:33:14.947.3+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt]  Src:User Event:Accept HTTP connect(IP:12.12.12.75 , PORT:10253 , RequestId:669978704.)
<AC6605_8_76>
Dec 01 2020 17:33:14.947.4+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] [WEB RecvHttp] Userip = 12.12.12.75,UserVrf = 0.
<AC6605_8_76>
Dec 01 2020 17:33:14.947.5+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Method:GET
<AC6605_8_76>
Dec 01 2020 17:33:14.947.6+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  HTTP Version:HTTP/1.1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.7+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg]  Http Version:HTTP/1.1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.8+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669978704, Field:Content-Length, ret:1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.9+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669978704, Field:If-Modified-Since, ret:1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.10+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669978704, Field:Cookie, ret:1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.11+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669978704, Field:Referer, ret:1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.12+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] WEB Get Header Value, RequestId:669978704, Field:Host, ret:1
<AC6605_8_76>
Dec 01 2020 17:33:14.947.13+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Can't Find Sta Mac By Ip(0xc0c0c4b) From AC Snooping Table!
<AC6605_8_76>
Dec 01 2020 17:33:14.947.14+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] WEBAdp FindOut AccessIf By IpVrf. Get IP information.(ulGwIpaddr=12.12.12.76,ulDstIpaddr=12.12.12.0, ulDstIpMask=255.255.255.0)
<AC6605_8_76>
Dec 01 2020 17:33:14.947.15+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Evt] Get ulNextHop.(ulNextHop=0xc0c0c4c)
<AC6605_8_76>
Dec 01 2020 17:33:14.947.16+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] WEBAdp FindOut AccessIf By IpVrf. Get Sta Info By Mac Failed!
<AC6605_8_76>
Dec 01 2020 17:33:14.947.17+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user access ifinex by ip fail[1]: ip[12.12.12.75]
<AC6605_8_76>
Dec 01 2020 17:33:14.947.18+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get receive ifindex by CIB fail!.
<AC6605_8_76>
Dec 01 2020 17:33:14.947.19+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Get user ifindex[4], L3IfIndex[4294967295], VID[12].
<AC6605_8_76>
Dec 01 2020 17:33:14.947.20+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Msg] Portal disable on ifindex[4], L3IfIndex[4294967295].
<AC6605_8_76>
Dec 01 2020 17:33:14.947.1+08:00 AC6605_8_76 WEB/7/DEBUG:
[Web-Err] Get web server config fail[1].
[HUAWEI] display access-user
-----------------------------------------------------------------
UserID  Username        IP address     MAC                Status
-----------------------------------------------------------------
16654   5cd998bc034c    200.1.1.64     5cd9-98bc-034c     Pre-authen
-----------------------------------------------------------------
Total: 1, printed: 1

The cause for this problem is the NAT configuration between the STA and device. The source IP address of the HTTP request packet sent from the STA to the device is the NAT-translated IP address. The device cannot find STA information based on the IP address. As a result, the authentication fails.

This problem can be addressed by adding the IP address forwarded by the CAPWAP tunnel when Portal authentication using the HTTP or HTTPS protocol is used. The IP address forwarded by the CAPWAP tunnel is the local IP address of the device, which is the same as the IP address corresponding to the device login URL.

[HUAWEI] portal tunnel-forward ip 12.12.12.76

After a User Enters the Account and Password on the Portal Page, the Device Login URL Is Not Displayed or an Incorrect Device Login URL Is Displayed
After a User Enters the Account and Password on the Portal Page, the Page Is Redirected to the Device Login URL, but a Timeout Message Is Displayed
The Device Login URL Is Displayed, but a Security Alarm Is Displayed
The Device Login URL Is Displayed, but the Authentication Fails

Translation

简体中文

Download

Updated: 2023-12-01

Document ID: EDOC1000060368

Downloads: 6018

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate