Key Configuration Check

Find the corresponding VAP profile based on the SSID, and check the configurations of the VAP profile, including the configuration of the authentication profile.

1. Run the display vap-profile all command to check all VAP profiles and find the corresponding VAP profile based on the SSID.

   [HUAWEI] display vap-profile all
   FMode   : Forward mode
   STA U/D : Rate limit client up/down
   VAP U/D : Rate limit VAP up/down
   BR2G/5G : Beacon 2.4G/5G rate
   ---------------------------------------------------------------
   Name         FMode    Type     VLAN       AuthType     STA U/D(Kbps)  VAP U/D(Kbps)  BR2G/5G(Mbps)  Reference  SSID
   ---------------------------------------------------------------
   default      direct   service  VLAN 1    Open         -/-            -/-               1/6              0           HUAWEI-WLAN
   vap_portal  tunnel    service  VLAN 200 Open+Portal -/-            -/-               1/6              3           portal_test
   ---------------------------------------------------------------
   Total: 2

   It is not recommended that the same SSID be bound to multiple VAP profiles because exceptions (such as access failures) will occur when multiple VAP profiles with the same SSID are bound to the same AP.

2. Check the configuration of the VAP profile, and find the authentication profile bound to the VAP profile.

   [HUAWEI] wlan
   [HUAWEI-wlan-view] vap-profile name vap_portal
   [HUAWEI-wlan-vap-prof-vap_portal]display this
   #
    forward-mode tunnel
    service-vlan vlan-id 200
    ssid-profile localportal
    authentication-profile authen_portal
   #

3. Check the configuration of the authentication profile. It must have a Portal access profile bound.

   [HUAWEI] authentication-profile name authen_portal
   [HUAWEI-authentication-profile-authen_portal] display this
   #
   authentication-profile name authen_portal
    portal-access-profile access_portal
    access-domain domain_test
   #

4. Check the configuration of the Portal access profile. It must have a Portal server template bound.

   [HUAWEI] portal-access-profile name access_portal
   [HUAWEI-portal-access-profile-access_portal] display this
   #
   portal-access-profile name access_portal
    web-auth-server portal_test direct
   #

5. Check the configuration of the Portal server template. The server IP address and URL must be configured.

   The URL can be configured in either of the following methods: 1. Configure the URL on the Portal server; 2. Reference the URL template on the Portal server and configure the URL in the URL template. In addition, you can configure the required URL parameters in the URL template. If the Portal server requires specific URL parameters, you can configure them only in the URL template.

   • Method 1: Configure a URL on the Portal server.

     [HUAWEI] web-auth-server portal_test
     [HUAWEI-web-auth-server-portal_test] display this
     #
     web-auth-server server_portal
      server-ip 12.12.12.1
      port 50100
      url http://12.12.12.1:8080/portal
     #

   • Method 2: Configure a URL template on the Portal server.

     [HUAWEI] web-auth-server portal_test
     [HUAWEI-web-auth-server-portal_test] display this
     #
     web-auth-server server_portal
      server-ip 12.12.12.1
      port 50100
      url-template url_test
     #

     Check the configuration in the URL template. The URL and required parameters need to be configured.

     [HUAWEI]url-template name url_test
     [HUAWEI-url-template-url_test] display this
     #
     url-template name url_test
      url http://12.12.12.1:8080/portal
      url-parameter device-ip ac-ip user-ipaddress userip ssid ssid
     #

External Portal authentication supports local, RADIUS, LDAP, and AD authentication modes. RADIUS authentication is applied in most scenarios, and is used for an example in this document.

The authentication mode is specified in an authentication scheme. An authentication scheme can be applied using either of the following two methods: Method 1: Apply it to an authentication profile directly. Method 2: Apply it to a domain, which is then bound to the authentication profile. The first method has a higher priority than the second method. If both methods are configured, the first method takes effect, and the default or forcible domain configured in the authentication profile using the second method does not take effect.

• Method 1: Apply an authentication scheme to an authentication profile.

  When applying an authentication scheme to an authentication profile, you must also apply a RADIUS server template. If accounting is required, apply an accounting scheme.

  [HUAWEI] authentication-profile name authen_portal
  [HUAWEI-authentication-profile-authen_portal] display this
  #
  authentication-profile name authen_portal
   portal-access-profile access_portal
   authentication-scheme radius
   accounting-scheme radius
   radius-server radius_test
  #

• Method 2: Apply an authentication scheme to a domain.

  When applying an authentication scheme to a domain, you must also apply a RADIUS server template. If accounting is required, apply an accounting scheme to the domain.

  [HUAWEI] aaa
  [HUAWEI-aaa] domain domain_test
  [HUAWEI-aaa-domain-domain_test] display this
  #
   domain domain_test
    authentication-scheme radius
    accounting-scheme radius
    radius-server radius_test
  #

  Then configure the default domain or forcible domain in the authentication profile. It is recommended that you configure a default domain without specifying the access type in the authentication profile.

  [HUAWEI] authentication-profile name authen_portal
  [HUAWEI-authentication-profile-authen_portal] display this
  #
  authentication-profile name authen_portal
   portal-access-profile access_portal
   access-domain domain_test
  #

  The authentication domain for a terminal is selected in descending order of priority: forcible domain for a specified access type > forcible domain with no access type specified > valid domain carried in the user name > default domain for a specified access type > default domain with no access type specified > global default domain. The following are configuration examples of different domains:

  • Forcible domain for a specified access type:

    [HUAWEI-authentication-profile-authen_portal] display this
    #
    authentication-profile name authen_portal
     portal-access-profile access_portal
     access-domain domain_test portal force

  • Forcible domain with no access type specified:

    [HUAWEI-authentication-profile-authen_portal] display this
    #
    authentication-profile name authen_portal
     portal-access-profile access_portal
     access-domain domain_test force

  • Valid domain carried in the user name: The user name used for authentication contains the domain name in @ format, and the domain has been created on the device.
  • Default domain for a specified access type:

    [HUAWEI-authentication-profile-authen_portal] display this
    #
    authentication-profile name authen_portal
     portal-access-profile access_portal
     access-domain domain_test portal

  • Default domain with no access type specified:

    [HUAWEI-authentication-profile-authen_portal] display this
    #
    authentication-profile name authen_portal
     portal-access-profile access_portal
     access-domain domain_test

  • Global default domain: It is specified by the domain xxx command in the system view.