No relevant resource is found in the selected language.
MENU
Support Documentation
WLAN Troubleshooting Guide
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Portal Authentication Failure

Portal Authentication Failure

Common Problems

  • The Portal authentication page cannot be displayed.
  • The STA cannot pass Portal authentication.

Troubleshooting Flowchart

Troubleshooting Procedure for Failure to Display the Portal Authentication Page

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel.

  1. Check whether the STA is successfully associated with an AP using either of the following methods. If the STA fails to associate with the AP, troubleshoot the problem following the procedure in Association Failure.

    Methods for checking whether an STA is associated with an AP:

    • Check the STA association entry.
    • Check the user entry.
      • Procedure in the web system: Choose Monitoring > User > User List.

      • Procedure on the CLI: Run the display access-user command in any view, and view the AP system profile used by the AP group.
        [AC6605] display access-user                                      
 ----------------------------------------------------------------
 UserID  Username      IP address      MAC             Status    
 ----------------------------------------------------------------
 18      98fae34a6cbc  10.23.101.254   98fa-e34a-6cbc  Pre-authen
 -----------------------------------------------------------------

    If a Portal user is successfully associated with an AP, the value of Status in the display access-user command output is Pre-authen. If a Portal user is authenticated successfully, the value of Status in the display access-user command output is Success.

  2. Check whether the link between the AC and Portal server is faulty.

    You can use the ping command to check the link between the AC and Portal server.

  3. Check whether Portal authentication is configured correctly on the AC.

    • Check whether Server IP in the Portal server profile is set to the Portal server IP address.
      • Procedure in the web system: Choose Configuration > Security > AAA > External Portal Server > Modify Authentication Server.

      • Procedure on the CLI:
        [AC6605-web-auth-server-controller] display this
#
web-auth-server controller
 server-ip 10.72.55.101
 port 50100
 shared-key cipher %^%#_z>{/,yLK9s}Bo>mLhW+N;+:5e36HLXNP|G|Is"$%
 url https://10.72.55.101:8445/PortalServer
#
    • Check whether the Portal profile is bound to the Portal access profile and whether the Portal access profile is bound to the related authentication profile.
      • Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile.

      • Procedure on the CLI:
        [AC6605] authentication-profile name portal_authen_profile
[AC6605-authentication-profile-portal_authen_profile] display this
#
authentication-profile name portal_authen_profile
 portal-access-profile portal_access_profile
 free-rule-template portal_free_rule
#
return
[AC6605-authentication-profile-portal_authen_profile] quit
[AC6605] portal-access-profile name portal_access_profile
[AC6605-portal-access-profile-portal_access_profile] display this
#
portal-access-profile name portal_access_profile
web-auth-server controller direct
#
return
    • Check whether the authentication profile is bound to the VAP profile.
      • Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile, select the Portal authentication profile, and click the Display Reference button.

      • Procedure on the CLI: Run the display this command in the VAP profile view.
        [AC6605-wlan-view] vap-profile name guest
[AC6605-wlan-vap-prof-guest] display this
#
forward-mode tunnel
service-vlan vlan-id 242
ssid-profile guest
security-profile wlan-security
authentication-profile portal_authen_profile
#
return

  4. In the browser, enter the Portal server IP address. Check whether the Portal authentication page can be displayed. If the Portal authentication page is not displayed, check Portal server configuration.

    • Check whether the Portal server process has started normally.
    • Contact Portal server engineers for assistance.

  5. If the Portal authentication page can be displayed after you enter the Portal server IP address, enter the domain name of the Portal authentication page in the browser and check whether the Portal authentication page can be displayed. If the Portal authentication page is not displayed, check whether the DNS server IP address is added as a free rule.

    • View the STA's DNS server IP address.

    • Check whether the DNS server IP address is added as a free rule.
      • Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Check whether the DNS server IP address is displayed in the free rule list.

      • Procedure on the CLI:
        [AC6605-authentication-profile-portal_authen_profile] display this 
#
authentication-profile name portal_authen_profile
 portal-access-profile portal_access_profile
 free-rule-template portal_free_rule
#         
[AC6605-free-rule-portal_free_rule] display this
#
free-rule-template name portal_free_rule
 free-rule 1 destination ip 10.72.55.101 mask 255.255.255.255
#
    • If DNS server IP address is not added as a free rule, add it to the free rule list to allow access to the DNS server IP address.
      • Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Then add a free rule.

      • Procedure on the CLI:
        [AC6605] free-rule-template name portal_free_rule
[AC6605-free-rule-portal_free_rule] free-rule 1 destination ip 10.72.55.101 mask 32
    • After the DNS server IP address is added as a free rule, check whether the DNS server can be pinged. If not, contact DNS support engineers from the related carrier for assistance.

  6. Check whether a proxy has been configured in the STA browser. If yes, disable the proxy.
  7. If the STA uses the iOS operating system, configure the portal captive-bypass enable command on the AC to enable the Captive Network Assistant (CNA) bypass function.

    [AC6605] portal captive-bypass enable

  8. To allow STAs to access an HTTPS page, configure the portal https-redirect enable command to enable the HTTPS direction function.

    [AC6605] portal https-redirect enable

  9. If the IP address to access is added to a free rule, redirection will not be performed.
  10. Collect the following information and contact Huawei technical support personnel:

    • STA type, browser type and version, as well as Portal server type
    • Configuration on the AC and networking environment
    • Packets captured on the STA and Portal server
    • Debug information on the AP ( Portal redirection is implemented on the AP in V2R6 and later versions )

      Command

      Functions

      <Huawei> debugging portal all

      Debugging function of the Portal module.

    Disable the debugging function after collecting debugging information.

Troubleshooting Procedure for Authentication Failure

  1. Check whether the user name and password are correct.

    • If local authentication is used, check whether the local user name, password, and service type are configured correctly.
      • Procedure in the web system: Choose Configuration > Security > AAA > Local User, and check the local user information.

      • Procedure on the CLI:
        [AC6605-aaa] display this  
#  
aaa  
 local-user test password cipher %^%#)P{_3raB%"d:u]99njNW=E!:Y$X'#R)f&6WDUt\6%^%#  
 local-user test privilege level 3  
 local-user test service-type web
#
    • If RADIUS authentication is used, run the test-aaa command to test the reachability of the RADIUS server.
      • Test result on the Diagnosis > Diagnosis Tool > AAA Test web page:

      • Command output on the CLI:
        [AC6605] test-aaa huawei huawei radius-template huawei     
Info: Account test succeed
      • If the test fails, troubleshoot the fault following the procedure in AAA Authentication Failure.

  2. Check whether configuration in the Portal access profile is the same as that on the Portal server.

    • Ensure that the correct device IP address is added to the Portal server. Otherwise, the Portal server cannot identify the device.

      By default, the source IP address in the Portal packets sent from the device to the Portal server is the IP address of the interface connected to the Portal server. That is, by default, the Portal server obtains the source IP address from the routing table. To configure the device IP address, run the source-ip command in the Portal access profile.

    • Check whether the port number on the Portal server is the same as the port number on the device.

      The default port through which the device listens to Portal packets is 2000. To change the listening port number, run the web-auth-server listening-port command.

    • Check whether the IP address segment of the STA is added to the STA IP address list on the Portal server.

      If the IP address segment of the STA is not added to the STA IP address list on the Portal server, the Portal server will not send Portal authentication requests from the STA to the device. As a result, the STA cannot be authenticated.

    • Check whether server-ip in the Portal access profile is set to the Portal server IP address.
    • Check whether the shared key in the Portal access profile is the same as that on the Portal server.

      The shared keys on the device and Portal server are in cipher text, so it is difficult to determine whether they are the same. You can configure a same new shared key on the device and Portal server. To configure a shared key on the device, run the shared-key command in the view of the Portal access profile.

    Procedure for checking the shared key in the web system: Choose Configuration > Security > AAA > External Portal Server.

    Procedure for checking the shard key on the CLI:

    [AC6605] display web-auth-server configuration  
 Listening port          : 2000  
 Portal                  : version 1, version 2  
 Include reply message : enabled  
    
 ----------------------------------------------------------------- 
 Web-auth-server Name    : controller  
 IP-address              : 10.72.55.101  
 Shared-key              : %@%@FXM@YP`0d={x6_7/-ku'V'Xv%@%@  
 Source-IP               : -  
 Port / PortFlag         : 50100 / NO  
 URL                     : https://10.72.55.101:8443/webauth  
 URL Template            :  
 Redirection             : Enable  
 Sync                    : Disable  
 Sync Seconds            : 0 
 Sync Max-times          : 0 
 Detect                  : Disable  
 Detect Seconds          : 60  
 Detect Max-times        : 3  
 Detect Critical-num     : 0  
 Detect Action           :  
 Bound Portal profile    : portal_access_profile  
    
 ------------------------------------------------------------------  
 1 Web authentication server(s) in total

  3. Check the reference relationship of the Portal authentication profile.

    • Check whether the authentication profile is bound to the VAP profile.
    • Check whether the Portal access profile is bound to the authentication profile.
    • Check whether the authentication-free rule profile is bound to the authentication profile.
    • Check whether the Portal server profile is bound to the Portal access profile.

  4. Collect the following information and contact Huawei technical support personnel:

    • Fault symptoms and preliminary troubleshooting results
    • Reason why a STA fails to go online or offline
      • Command for checking abnormal offline records:
        [AC6605-diagnose] display aaa abnormal-offline-record mac-address 148f-c661-b424
      • Command for checking online failure records:
        [AC6605-diagnose] display aaa online-fail-record mac-address 148f-c661-b424
      • Command for checking offline records:
        [AC6605-diagnose] display aaa offline-record mac-address 148f-c661-b424

      Run the preceding three commands in the diagnostic view. Otherwise, some reasons cannot be displayed due to permission restrictions.

    • Configuration on the AC and networking environment
    • Packets captured on the STA and server
    • Trace or debug information on the device
      You can use the trace command to trace the entire system process. If the service volume is small, you can use the debugging commands listed in the following table:

      Command

      Functions

      <Huawei> debugging portal all

      Enables Portal authentication debugging.

      <Huawei> debugging web all

      Enables web module debugging.

      <Huawei> debugging cm all

      Enables UCM module debugging.

      <Huawei> debugging aaa all

      Enables AAA module debugging, which is used to view information such as the user authentication domain.

      <Huawei> debugging radius all

      Displays authentication information between a STA and the RADIUS module.

      <Huawei> debugging tm all

      Enables TM module debugging.

    Disable the debugging function after collecting debugging information.

Translation
简体中文
Download
Updated: 2020-11-18

Document ID: EDOC1000060368

Views: 442448

Downloads: 2450

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2020 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :