NAC Access Issues

Fault Symptom

Portal users cannot be successfully authenticated.

Procedure

1. Check whether the shared key is configured on the AC.

   Error-prone configuration: The shared key configured on the AC must be the same as that on the Portal server.

   [AC-web-auth-server-controller] display this
   #
   web-auth-server controller
    server-ip 10.10.10.1
    port 50100
    shared-key cipher %^%#E=77UW>`&A-6}x,G*-}X~5pb5\HVe'sU6+Q1S3x%%^%#
    url http://10.10.10.1:8080/portal
   #

   Suggestion: Configure the same shared key as that on the Portal server for the AC and conduct the Portal user authentication test again.

2. Check whether STA address learning is enabled.

   Error-prone configuration: When processing authentication requests of STAs to the Portal server, the AC needs to search for STA MAC addresses based on STA IP addresses. If the STA IP addresses are not reported by APs, the AC fails to find the matched MAC addresses of the STAs. In this case, the AC fails to process the authentication requests.

   [AC] display current-configuration | include learn-client-address disable

   Suggestion: Enable STA address learning.

3. If built-in Portal authentication is used, check whether the service type for the local user is configured correctly.

   Error-prone configuration: The web service type is not configured for the local user.

   <AC> display local-user username user-a
      The contents of local user(s):
      Password             : ****************
      State                : active
      Service-type-mask    : A
      ...

   Suggestion: Set the service type of the local user to web.

   <AC> system-view 
   [AC] aaa 
   [AC-aaa] local-user user1@vipdomain service-type web

Fault Symptom

Before an upgrade, the external Portal server can properly run. After an upgrade, a blank page is displayed on the Portal server.

Procedure

1. Check whether the URL parameter required for the third-party Portal server is configured on the AC.
   Error-prone configuration: When an AC is interconnected with a third-party Portal server, the Portal server requires that the URL carry the acip parameter. This URL parameter, however, is not configured on the AC.

   [AC-url-template-test] display this
   #
   url-template name test
    url http://10.10.10.1:8080/portal
    url-parameter ac-ip wlanacip
   #

   Suggestion: Configure the URL parameter required for the third-party Portal server.

Fault Symptom

A Portal server does not automatically push an authentication page.

Procedure

1. Check whether the Portal server detection function is enabled in the Portal server profile.
   Error-prone configuration: The Portal server detection function is enabled on the AC, but the Portal server is not enabled. In this case, the Portal server status is displayed as Abnormal on the AC.

   [AC-web-auth-server-controller] display this
   #
   web-auth-server controller
    server-ip 10.10.10.1
    port 50100
    shared-key cipher %^%#E=77UW>`&A-6}x,G*-}X~5pb5\HVe'sU6+Q1S3x%%^%#
    url http://10.10.10.1:8080/portal
    server-detect
   #

   Suggestion: Enable the Portal server detection function only when the Portal escape function is required. If heartbeat detection is not supported or enabled on the Portal server, disable the Portal server detection function.

Fault Symptom

Failed to automatically display an authentication page on an iOS terminal.

Procedure

1. Check whether the Captive Network Assistant (CNA) bypass function is configured on the AC.
   Error-prone configuration: Enable the CNA bypass function for iOS terminals.

   [AC] display current-configuration | include portal captive-bypass enable

   Suggestion: Disable the CNA bypass function.

2. Check whether the Portal server pushes an authentication page through HTTPS.

   Error-prone configuration: The Portal server pushes an authentication page through HTTPS, but no valid certificate issued by the CA is installed on the server.

   A Portal authentication page of the HTTPS type can be automatically displayed only when an HTTPS URL is used and the domain name certificate is valid.

   Suggestion: On the Portal server, change HTTPS-based page pushing to HTTP-based page pushing or install a valid certificate.

Fault Symptom

The Domain Name-based Filter Function Does Not Take Effect

Procedure

1. Check whether the DNS server is permitted in Portal authentication.
   Error-prone configuration: The domain name is permitted, but the DNS server address is not.

   #
   authentication-profile name p1
    portal-access-profile portal1
    free-rule-template default_free_rule
    authentication-scheme radius_huawei
    radius-server radius_huawei
   #
   free-rule-template name default_free_rule
    free-rule 1 destination ip 10.23.200.2 mask 255.255.255.0
   # 

   Suggestion: Permit the DNS server in Portal authentication.

Fault Symptom

STAs go offline unexpectedly due to a failure of user information synchronization between the AC and Portal server.

Procedure

1. Check whether the user synchronization function is enabled in the Portal server profile.

   Error-prone configuration: The user synchronization function is enabled in the Portal server profile on the AC but not enabled on the Portal server.

   The reason for a STA to go offline is displayed as "WEB user synchronize fail."

   [AC-web-auth-server-controller] display this
   #
   web-auth-server controller
    server-ip 10.10.10.1
    port 50100
    shared-key cipher %^%#E=77UW>`&A-6}x,G*-}X~5pb5\HVe'sU6+Q1S3x%%^%#
    url http://10.10.10.1:8080/portal
    user-sync
   #

   Suggestion: Disable the user synchronization function on the AC if this function is not supported or enabled on the Portal server.

Fault Symptom

In Portal authentication scenarios, STAs are still redirected to the Portal authentication page even after authentication success is displayed on the STAs. This is also called "fake authentication."

Procedure

1. Check whether NAT is configured between the authentication server and STAs.
   Error-prone configuration: When the AC is connected with the Agile Controller, packets from STAs are translated using NAT before arriving at the Agile Controller. The source IP addresses of the packets are converted into public IP addresses, which cannot be identified by the Agile Controller.

   #
   url-template name url
    url-parameter user-ipaddress user-ipaddress 
   #

   Suggestion: Carry the user-ipaddress parameter in the URL when NAT is deployed between the Agile Controller and STAs.

Fault Symptom

A dynamic VLAN is created on the authentication server, but the same VLAN is not created on the AC. As a result, authentication fails.

Procedure

1. Check whether the dynamic VLAN is created on the AC.

   Error-prone configuration: The AC does not have a dynamic VLAN created.

   Suggestion: Create the corresponding VLAN on the AC.

Fault Symptom

802.1X authentication fails.

Procedure

1. Check whether an 802.1X authentication profile is bound to the authentication profile.

   Error-prone configuration: The security wpa-wpa2 dot1x aes command is configured in the security profile. However, the 802.1X authentication profile is not bound to the authentication profile.

   #
   authentication-profile name p1
    authentication-scheme radius_huawei
    radius-server radius_huawei
   #

   Suggestion: Bind the 802.1X authentication profile to the authentication profile.

   [AC] dot1x-access-profile name wlan-dot1x
   [AC] authentication-profile name p1 
   [AC-authentication-profile-p1] dot1x-access-profile wlan-dot1x

2. Check whether the service VLAN is created on the AC.

   Error-prone configuration: In 802.1X authentication scenarios, EAP packets are forwarded to the AC through CAPWAP tunnel. Service VLANs are not created on the AC.

   Suggestion: Create the corresponding service VLANs on the AC.