No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Troubleshooting: Portal Redirection Failures

Troubleshooting: Portal Redirection Failures

Implementation of Portal Redirection

Principles of Portal Redirection

Portal redirection enables the system to automatically display the authentication page to control STA access to HTTP or HTTPS websites if the authentication fails. To implement this function, the device intercepts HTTP (TCP port 80) or HTTPS (TCP port 443) traffic, establishes a TCP connection with the terminal by pretending to be the destination IP address that the terminal attempts to access, and redirects the terminal to an authentication page. Portal redirection is the first phase of Portal authentication. However, some clients can directly submit the user names and passwords to the Portal server without having to undergo Portal redirection.

In wireless scenarios, Portal redirection is implemented by APs.

Portal redirection can be implemented in either of the following modes:

  • Method 1: HTTP 200 OK

    As shown in the following information, 42.1.1.19 is the IP address of the STA, and 1.1.1.1 is the destination IP address accessed by the STA.

    Figure 6-1 Packet exchange (HTTP 200 OK)
    Figure 6-2 Packet content (HTTP 200 OK)

    After you enter http://1.1.1.1 in the address box of a browser, the device intercepts the packet, and pretends to be the destination address 1.1.1.1 to establish a TCP connection with the terminal. The first to third packets in Figure 6-1 show the packet exchange process. After the TCP connection is established, the terminal sends an HTTP GET packet (the fourth packet in Figure 6-1), and the device replies with an HTTP 200 OK packet (the fifth packet in Figure 6-1). The HTTP 200 OK packet sent by the device carries the IP address of the redirection authentication page (the information in the red box in Figure 6-2). After the STA receives the HTTP 200 OK packet, it accesses the redirection authentication page.

  • Method 2: HTTP 302 Moved Temporarily

    As shown in the following information, 42.1.1.76 is the IP address of the STA, and 1.1.1.1 is the destination IP address accessed by the STA.

    Figure 6-3 Packet exchange (HTTP 302 Moved Temporarily)
    Figure 6-4 Packet content (HTTP 302 Moved Temporarily)

    This mode differs from the HTTP 200 OK mode in that the device replies with an HTTP 302 Moved Temporarily packet that carries the address of the redirected authentication page.

WLAN V200R010 and earlier versions support only HTTP 302 Moved Temporarily redirection. V200R019 and later versions use HTTP 200 OK redirection by default. If HTTP 302 Moved Temporarily redirection is required (for example, some customized STAs do not support HTTP 200 OK), you can run the portal redirect-302 enable command to configure this function.

Portal Redirection Process

Process of Automatically Displaying the Portal Authentication Page on a STA

After a STA connects to a wireless network, it first uses an internal tool to send an HTTP sniffing request to a specified server to check whether the wireless network has the network access permission. For a Portal authentication network, the device intercepts the HTTP sniffing request sent by the internal tool of the STA and sends a redirection page to the STA, the internal tool of the STA determines that the response is not the expected one and considers that the wireless network is under control. Then, the tool invokes the default browser of the system to resend an HTTP sniffing request. The device continues to intercept the request and sends a redirection page to the STA. The browser is redirected to the Portal authentication page, that is, the Portal authentication page is automatically displayed after the STA connects to the wireless network.

The following uses an iOS terminal as an example. The process of automatically displaying the Portal authentication page on the iOS terminal is as follows:

  1. An Apple terminal sends an HTTP 1.0 request to http://captive.apple.com. The User-Agent field in the request is CaptiveNetworkSupport.

  2. If the pushed page is not the expected http://www.apple.com/library/test/success.html, the terminal considers a network connection failure and invokes the browser to send an HTTP 1.1 request to http://captive.apple.com. The User-Agent field in the request is Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_3 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13G34, which may slightly vary depending on Apple terminals and versions.

  3. In this case, the Portal authentication page is automatically displayed on the terminal, where users can enter the account password to connect to the wireless network.

The preceding describes the implementation of Apple's Captive Network Assistant (CNA) mechanism. Whether the browser can re-send an HTTP request is the key to automatically pushing the Portal authentication page in 2. If the browser is not invoked or is invoked with a long delay, the Portal authentication page will fail to be pushed or will be pushed after a long time.

Key Configuration Check

Profile Configuration on the AC

Find the corresponding VAP profile based on the SSID, and check the configurations of the VAP profile, including the configuration of the authentication profile.

  1. Run the display vap-profile all command to check all VAP profiles and find the corresponding VAP profile based on the SSID.

    [Huawei] display vap-profile all
FMode   : Forward mode
STA U/D : Rate limit client up/down
VAP U/D : Rate limit VAP up/down
BR2G/5G : Beacon 2.4G/5G rate
---------------------------------------------------------------
Name         FMode    Type     VLAN       AuthType     STA U/D(Kbps)  VAP U/D(Kbps)  BR2G/5G(Mbps)  Reference  SSID
---------------------------------------------------------------
default      direct   service  VLAN 1    Open         -/-            -/-               1/6              0           HUAWEI-WLAN
vap_portal  tunnel    service  VLAN 200 Open+Portal -/-            -/-               1/6              3           portal_test
---------------------------------------------------------------
Total: 2

    It is not recommended that the same SSID be bound to multiple VAP profiles because exceptions (such as access failures) will occur when multiple VAP profiles with the same SSID are bound to the same AP.

  1. Check the configuration of the VAP profile, and find the authentication profile bound to the VAP profile.

    [Huawei] wlan
[Huawei-wlan-view] vap-profile name vap_portal
[Huawei-wlan-vap-prof-vap_portal]display this
#
 forward-mode tunnel
 service-vlan vlan-id 200
 ssid-profile localportal
 authentication-profile authen_portal
#

  1. Check the configuration of the authentication profile. It must have a Portal access profile bound.

    [Huawei] authentication-profile name authen_portal
[Huawei-authentication-profile-authen_portal] display this
#
authentication-profile name authen_portal
 portal-access-profile access_portal
 access-domain domain_test
#

  2. Check the configuration of the Portal access profile. It must have built-in Portal authentication enabled or have a Portal server template bound.

    For built-in Portal authentication, you need to enable built-in Portal authentication in the Portal access profile.

    [Huawei] portal-access-profile name access_portal
[Huawei-portal-access-profile-access_portal] display this
#
portal-access-profile name access_portal
 portal local-server enable
#

    For external Portal authentication, you need to bind a Portal server template to the Portal access profile.

    [Huawei] portal-access-profile name access_portal
[Huawei-portal-access-profile-access_portal] display this
#
portal-access-profile name access_portal
 web-auth-server portal_test direct
#

  3. If an external Portal server is used, the server IP address and URL must be configured.

    The URL can be configured in either of the following methods: 1. Configure the URL on the Portal server; 2. Reference the URL template on the Portal server and configure the URL in the URL template. In addition, you can configure the required URL parameters in the URL template. If the Portal server requires specific URL parameters, you can configure the URL parameters only in the URL template.

    • Method 1: Configure a URL on the Portal server.
      [Huawei] web-auth-server portal_test
[Huawei-web-auth-server-portal_test] display this
#
web-auth-server server_portal
 server-ip 12.12.12.1
 port 50100
 url http://12.12.12.1:8080/portal
 protocol http
#
    • Method 2: Configure a URL template on the Portal server.
      [Huawei] web-auth-server portal_test
[Huawei-web-auth-server-portal_test] display this
#
web-auth-server server_portal
 server-ip 12.12.12.1
 port 50100
 url-template url_test
 protocol http
#

      Check the configuration in the URL template. The URL and required parameters need to be configured.

      [Huawei]url-template name url_test
[Huawei-url-template-url_test] display this
#
url-template name url_test
 url http://12.12.12.1:8080/portal
 url-parameter device-ip ac-ip user-ipaddress userip ssid ssid
#

  4. Check the DNS bypass configuration.

    Check whether the portal pass dns enable command is configured in the system view. By default, this command is enabled in V200R010 but disabled in V200R19 and later versions. If this command is not configured, configure an authentication-free rule to bypass the DNS server address. The following shows how to configure an authentication-free rule to bypass DNS server address 8.8.8.8.

    [Huawei] free-rule-template name default
[Huawei-free-rule-default] display this
#
free-rule-template name default_free_rule
 free-rule 1 destination ip 8.8.8.8 mask 255.255.255.0 source ip any
#
[Huawei] authentication-profile name authen_portal
[Huawei-authentication-profile-authen_portal] display this
#
authentication-profile name authen_portal
 portal-access-profile access_portal
 access-domain domain_test
 free-rule-template default_free_rule
#

Portal Configuration on the AP

  1. Check the configuration of the URL template delivered to the AP.

    The URL template on the AP includes the built-in Portal server configuration, Portal server template configuration, and URL template configuration on the AC.

    1. Query the configuration of all URL templates on the AP.
      [Huawei-AP] display url-template all
---------------------------------------------------------------
ID                 URL      Start    Assignment    Isolate
Number   Mark     Mark           Mark
---------------------------------------------------------------
0                  1         ?         =               &
1                  0
2                  1         ?         =               &
---------------------------------------------------------------
Total 3
    2. Query the URL template configuration based on the URL template ID.
      • URL template 0 corresponds to the built-in Portal server configuration on the AC.
        [Huawei-AP] display url-template id 0
ID   : 0
Name : portal-local-server*
URL  :
 1. http://12.12.12.76:2000/index.html
Start mark      : ?
Assignment mark : =
Isolate mark    : &
AC IP           :
AC MAC          :
AP IP           :
AP MAC          :
User MAC        :
Redirect URL    :
SSID            :
User IP address :
Sysname         :
User VLAN       :
AP Name         :
AP Location     :
AP Group Name   :
Delimiter       :
Format          :
Http to ap      : 1
Https to ap     : 1
Server State    : 0
Server ip       : 12.12.12.76
Server ipv6     : ::
Do not Redirect : 0
URL cipher name :
URL iv name     :
URL cipher key  :
AC IP Value     :
AC MAC Value    :
Sysname Text    :
AP IP Value     :
      • URL template 1 corresponds to the Portal server template configuration on the AC.
        [Huawei-AP] display url-template id 1
ID   : 1
Name : portal_test
URL  :
Start mark      :
Assignment mark :
Isolate mark    :
AC IP           :
AC MAC          :
AP IP           :
AP MAC          :
User MAC        :
Redirect URL    :
SSID            :
User IP address :
Sysname         :
User VLAN       :
AP Name         :
AP Location     :
AP Group Name   :
Delimiter       :
Format          :
Http to ap      : 1
Https to ap     : 1
Server State    : 0
Server ip       : 12.12.12.1
Server ipv6     : ::
Do not Redirect : 0
URL cipher name :
URL iv name     :
URL cipher key  :
AC IP Value     :
AC MAC Value    :
Sysname Text    :
AP IP Value     :
      • URL template 2 corresponds to the URL template configuration on the AC.
        [Huawei-AP] display url-template id 2
ID   : 2
Name : url_test
URL  :
1. http://12.12.12.1:8080/portal
Start mark      : ?
Assignment mark : =
Isolate mark    : &
AC IP           : ac-ip
AC MAC          :
AP IP           :
AP MAC          :
User MAC        :
Redirect URL    :
SSID            : ssid
User IP address : userip
Sysname         :
User VLAN       :
AP Name         :
AP Location     :
AP Group Name   :
Delimiter       :
Format          :
Http to ap      : 0
Https to ap     : 0
Server State    : 0
Server ip       : 0.0.0.0
Server ipv6     : ::
Do not Redirect : 0
URL cipher name :
URL iv name     :
URL cipher key  :
AC IP Value     :
AC MAC Value    :
Sysname Text    :
AP IP Value     :

  2. Check the Portal authentication configuration delivered to the AP.

    [Huawei-AP] display portal config
Portal CnaBypass  : disable
Portal CnaAdaptive: enable
Portal User Agent : enable
Portal URL Encode : disable
Portal Https redirect : enable         port 64443
Portal JS Redirect: disable
Portal 302 Redirect: disable
Portal DNS Permit: disable
Vlan config info:
--------------------------------------------------------------
Vlanid   main web index   main url index   back web index   back url index
--------------------------------------------------------------
Bssid config info:
--------------------------------------------------------------
Vapid Bssid main web index main url index back web index back url index
1     27    0              0               255            255
2     28    1              2               255            255
17    30    0              0               255            255
18    31    1              2               255            255
--------------------------------------------------------------

    main web index indicates the active Portal server, main url index indicates the active URL template, back web index indicates the standby Portal server, and back url index indicates the standby URL template.

    You can check whether the binding relationship delivered to the AP is correct based on the global Portal authentication on the AP. If not, unbind the authentication profile from the AC VAP profile and then bind the authentication profile again.

    To view authentication-free rules on the AP, run the display portal free-rule command in versions earlier than V200R010 or run the display wsrv portal free-rule command in V200R010 or later.

    [Huawei-AP-diagnose] display wsrv portal free-rule
----------------------------------------------------------------
Dynamic IPv4 free rule
destination IP 12.12.12.6 mask 255.255.255.255
destination IP 50.1.1.1 mask 255.255.255.255
Total 2
----------------------------------------------------------------
Profile ID 0
Rule   1:  destination IP 8.8.8.8 mask 255.255.255.0
Total 1
----------------------------------------------------------------
Profile ID 1
Rule   1:  destination IP 8.8.8.8 mask 255.255.255.0
Total 1
---------------------------------------------------------------

Common Portal Redirection Failures

The User Can Be Redirected to the URL of the Portal Page, but the Portal Page Cannot Be Opened

Symptom

When a user uses a browser to access any web page, the URL of the Portal page is displayed in the address box of the browser, but the Portal page cannot be opened.

Possible Causes

The possible causes are as follows:

  1. The network between the STA and the Portal server is disconnected.
  2. When the AC is connected to a third-party Portal server, the Portal server may work in load balancing mode. In this case, the Portal server address is different from the Portal page URL. As a result, the AP and AC do not permit the Portal page URL.

    Check the server IP address and URL configured in the web-auth-server template. (The server IP address and URL are different.)

    [Huawei-web-auth-server-server_portal] display this
#
web-auth-server server_portal
 server-ip 12.12.12.1 12.12.12.2
 port 50100
 shared-key cipher %^%#&=*FNh9cq9Z!8CJee+u(JX1jNUQvz#b+iM#Msz3P%^%#
 url http://12.12.12.3:8080/portal
#

Solution

  1. Check the network between the STA and the Portal server. Ping the Portal server from the STA gateway to check whether the route is correct. If the ping fails, check the route configuration.
  2. When the device connects to a third-party Portal server, load balancing may be performed on the Portal server. In this case, the Portal server address may be different from the Portal page URL. In this case, you can configure an authentication-free rule profile to allow packets to pass through the Portal page URL.

    Configure the authentication-free rule profile to allow packets from the Portal URL to pass through, and bind the authentication-free rule profile to the authentication profile.

    [Huawei]free-rule-template name default_free_rule
[Huawei-free-rule-default_free_rule] free-rule 0 destination ip 12.12.12.3 mask 255.255.255.255
[Huawei] authentication-profile name  authen_portal
[Huawei-authentication-profile-authen_portal] free-rule-template default_free_rule

The Access to Any IP Address Can Be Redirected, but the Access to the Domain Name of the Web Page Cannot Be Redirected

Symptom

After a user enters any IP address in the address box of the browser, the user can be redirected to the Portal page and can access the page normally. However, after a user enters any domain name, the user cannot be redirected to the Portal page.

Possible Causes

If a STA cannot access the DNS server before passing Portal authentication, the possible causes are as follows:

  • No DNS server is deployed on the network. (Generally, no DNS server is deployed in the test phase.)
  • The DNS server IP address is not permitted on the AC and AP by running the free-rule command.
  • The network between the STA and the DNS server is disconnected.

Solution

  1. Check whether a DNS server exists on the network and whether the DHCP server assigns a DNS server to the STA. If no DNS server exists on the network, the access domain name cannot trigger redirection.
  2. Check whether the DNS server IP address is permitted in the authentication-free rule profile. If not, permit the DNS server IP address in the authentication-free rule profile and bind the authentication-free rule profile to the authentication profile.
    [Huawei]free-rule-template name default_free_rule
[Huawei-free-rule-default_free_rule] free-rule 1 destination ip 114.114.114.114 mask 255.255.255.255
[Huawei] authentication-profile name  authen_portal
[Huawei-authentication-profile-authen_portal] free-rule-template default_free_rule
  3. On the STA gateway, ping the DNS server to check whether the route is reachable. If the ping fails, check the intermediate network.
  4. Run the nslookup command on the STA to check whether the DNS server can correctly resolve the domain name. If not, check the DNS server.

A Security Alarm Is Reported When an HTTPS Web Page Is Accessed (Normal)

According to the Portal redirection mechanism, when a STA accesses an HTTPS web page, the device intercepts the traffic of the HTTPS (default port 443) TCP fixed port and forges the destination address to be accessed by the STA to establish a TCP connection with the STA. After the TCP connection is established, the SSL handshake is performed. The SSL handshake uses the built-in signature certificate of the device, but the built-in certificate of the device from the signature certificate is not issued by a legitimate organization. Therefore, whether the redirection can be successful depends on the security policy of the browser. Some STA browsers generate alarms when verifying the server certificate. After you click Trust, the Portal page can be displayed. Some browsers do not display the prompt page and directly interrupt the access.

HTTPS Web Page Access Fails to Be Redirected (HSTS Protocol)

When the HTTP Strict Transport Security (HSTS) function is enabled for a website, a browser must use HTTPS and a valid certificate to access the website. During HTTPS redirection, the device uses a self-signed certificate (this is because the device cannot have the certificate of the target website) to pretend to be the target website and establish an SSL connection with the browser. If the website has the HSTS function enabled, the browser will detect that the certificate is untrusted. As a result, redirection fails, as shown in the following figure (in this example, Google Chrome is used).

HTTP Proxy Is Configured on a Terminal, but the Terminal Cannot Be Redirected to the Portal Page

The HTTP proxy or a port other than port 80 or 443 is used on the network. If this problem occurs, obtain packets on the STA or check the browser configuration on the STA. For example, on Internet Explorer of a Windows STA. Choose Internet Properties > Connections > LAN settings.

The URL of the Redirected Portal Page Contains %XX, Which Cannot Be Identified by Some Portal Servers

Symptom

When a third-party Portal server is connected, the browser can be redirected to the URL of the Portal page, but the Portal page cannot be opened. The URL of the Portal page contains %XX, for example, http://12.12.12.1:8080/portal?ac %2Dip=100%2E1%2E1%2E1&userip=200%2E1%2E1%2E172&ssid=portal %5Ftest.

Possible Causes

By default, the Portal URL encoding and decoding function is enabled on the device.

URL encoding encodes special characters (that is, characters that are not simple 7-bit ASCII characters, such as Chinese characters) in hexadecimal format using the percent sign (%), including special characters such as the equal sign (=), ampersand (&), and percent sign (%). The URL encoding is actually a hexadecimal character ASCII code. However, there is a slight change, and "%" needs to be added to the beginning. For example, the ASCII code of a backslash (\) is 92, and the hexadecimal number of 92 is 5c. Therefore, the URL encoding result of a backslash (\) is %5c. The URL coding table can be found on the Internet. Some Portal servers do not support this encoding format. When the URL encoding function is enabled on the device, redirection fails.

Solution

Disable the Portal URL encoding function on the device.

[Huawei] undo portal url-encode enable

The Portal Authentication Page Cannot Be Automatically Displayed After an Apple Terminal Associates with the AP

Symptom

After an Apple terminal connects to a wireless network, the Portal authentication page is not automatically displayed.

Possible Causes

  • If this problem occurs on all Apple terminals, the possible causes are as follows:
    • The CNA bypass function is enabled on the device (with the portal captive-bypass enable command incorrectly configured).
    • The device permits the domain name (captive.apple.com) of the server detected by the Apple terminal or the IP address corresponding to the domain name through the authentication-free rule.
    • The Portal server uses HTTPS, and the Portal server website does not have a valid certificate.
  • If this problem occurs on some Apple terminals, there is a high probability that the problem is caused by the terminals themselves. The possible cause is that the terminals use the internal detection tool to send detection requests to the Apple server after connecting to the wireless network, but do not invoke the browser to send detection requests. As a result, the detection page cannot be automatically displayed.

Solution

  • If this problem occurs on all Apple terminals, perform the following steps:
    1. Check whether the CNA bypass function is configured. If so, disable the CNA bypass function.
      [Huawei] undo portal captive-bypass enable
    2. Check whether the authentication-free rule permits the domain name of the server detected by the Apple terminal or the IP address corresponding to the domain name. If so, delete the domain name or IP address from the authentication-free rule.
      1. Check the configuration in the authentication-free rule profile.
        [Huawei] free-rule-template name default_free_rule
[Huawei-free-rule-default_free_rule] display this
#
free-rule-template name default_free_rule
 free-rule acl 6000
#
      2. Check the ACL configuration.
        [Huawei] acl 6000
[Huawei-acl-ucl-6000] display this
#
acl number 6000
 rule 5 permit ip destination 114.114.114.114 0
 rule 10 permit ip destination passthrough-domain captive.apple.com
#
      3. Delete the domain name of the bypass Apple detection server.
        [Huawei] acl 6000
[Huawei-acl-ucl-6000] undo rule 10
    3. Check the protocol used by the Portal server page. You can use a browser to access any website to jump to the Portal page and view the URL in the address bar of the browser. If the URL starts with https://, the Portal server page uses HTTPS. You are advised to change the protocol to HTTP or purchase a valid certificate.
  • If this problem occurs on some Apple terminals, you are advised to obtain wireless packets on the terminal side for analysis.

Redirection Fails After Any IP Address or Domain Name Is Entered on a STA

Symptom

After a user enters any IP address and domain name on a STA, the STA cannot be redirected.

Possible Causes

The possible cause is that the Portal server detection function is enabled in the web-auth-server template by mistake.

[Huawei] web-auth-server test
[Huawei-web-auth-server-test] display this
#
web-auth-server test
 server-ip 12.12.12.6
 port 50100
 shared-key cipher %^%#N|):V]!Q-,Og!^95TW9I:(wsM_VyjF~"n*L@.ay2%^%#
 url http://12.12.12.6
 server-detect
#

The implementation mechanism of the server-detect command is as follows: The Portal server proactively sends heartbeat packets to the device. The device checks whether heartbeat packets are received every 100s. If the device does not receive heartbeat packets for three consecutive times, the device sets the Portal server status to Down and does not perform redirection. In this case, you can run the display server-detect state web-auth-server command to check the status of the Portal server. If the status field is Abnormal, the Portal server is Down.

[Huawei] display server-detect state web-auth-server test
Web-auth-server     :    test
Total-servers       :    1
Live-servers        :    0
Critical-num        :    0
Status              :    Abnormal
Ip-address               Status
12.12.12.6               DOWN
#

Solution

  • If the Agile Controller is used as the Portal server, select Enable heartbeat between access device and Portal server in the Authentication Parameters tab page.

  • Generally, a third-party Portal server does not support this function. You are advised to delete the server-detect configuration.

Collecting Information

  1. Enable the UA function on the AC.
    [Huawei] http parse user-agent enable
  2. The redirection function is implemented on the AP. You can enable the debugging function on the AP to reproduce the problem.
    <Huawei> debugging portal all
<Huawei> terminal debugging
<Huawei> terminal monitor
<Huawei> debugging timeout 0
  3. After the problem is reproduced, disable the debugging function on the AP.
    <Huawei> undo debugging portal all
<Huawei> undo terminal debugging
<Huawei> undo terminal monitor
Translation
简体中文
Download
Updated: 2021-12-27

Document ID: EDOC1000060368

Views: 1173787

Downloads: 4288

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :