Portal Authentication Failure

WLAN Troubleshooting Guide

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Common Problems

The Portal authentication page cannot be displayed.
The STA cannot pass Portal authentication.

Troubleshooting Flowchart

Click to enlarge

Troubleshooting Procedure for Failure to Display the Portal Authentication Page

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel.

Check whether the STA is successfully associated with an AP using either of the following methods. If the STA fails to associate with the AP, troubleshoot the problem following the procedure in Association Failure.
Methods for checking whether an STA is associated with an AP:
- Check the STA association entry.
- Check the user entry.
  - Procedure in the web system: Choose Monitoring > User > User List.
  - Procedure on the CLI: Run the display access-user command in any view, and view the AP system profile used by the AP group.
```
[AC6605] display access-user                                      
 ----------------------------------------------------------------
 UserID  Username      IP address      MAC             Status    
 ----------------------------------------------------------------
 18      98fae34a6cbc  10.23.101.254   98fa-e34a-6cbc  Pre-authen
 -----------------------------------------------------------------
```
If a Portal user is successfully associated with an AP, the value of Status in the display access-user command output is Pre-authen. If a Portal user is authenticated successfully, the value of Status in the display access-user command output is Success.
Check whether the link between the AC and Portal server is faulty.
You can use the ping command to check the link between the AC and Portal server.

Check whether Portal authentication is configured correctly on the AC.

Check whether Server IP in the Portal server profile is set to the Portal server IP address.

Procedure in the web system: Choose Configuration > Security > AAA > External Portal Server > Modify Authentication Server.

Procedure on the CLI:

[AC6605-web-auth-server-controller] display this
#
web-auth-server controller
 server-ip 10.72.55.101
 port 50100
 shared-key cipher %^%#_z>{/,yLK9s}Bo>mLhW+N;+:5e36HLXNP|G|Is"$%
 url https://10.72.55.101:8445/PortalServer
#

Check whether the Portal profile is bound to the Portal access profile and whether the Portal access profile is bound to the related authentication profile.

Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile.

Procedure on the CLI:

[AC6605] authentication-profile name portal_authen_profile
[AC6605-authentication-profile-portal_authen_profile] display this
#
authentication-profile name portal_authen_profile
 portal-access-profile portal_access_profile
 free-rule-template portal_free_rule
#
return
[AC6605-authentication-profile-portal_authen_profile] quit
[AC6605] portal-access-profile name portal_access_profile
[AC6605-portal-access-profile-portal_access_profile] display this
#
portal-access-profile name portal_access_profile
web-auth-server controller direct
#
return

Check whether the authentication profile is bound to the VAP profile.
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile, select the Portal authentication profile, and click the Display Reference button.
- Procedure on the CLI: Run the display this command in the VAP profile view.
```
[AC6605-wlan-view] vap-profile name guest
[AC6605-wlan-vap-prof-guest] display this
#
forward-mode tunnel
service-vlan vlan-id 242
ssid-profile guest
security-profile wlan-security
authentication-profile portal_authen_profile
#
return
```

In the browser, enter the Portal server IP address. Check whether the Portal authentication page can be displayed. If the Portal authentication page is not displayed, check Portal server configuration.
- Check whether the Portal server process has started normally.
- Contact Portal server engineers for assistance.
If the Portal authentication page can be displayed after you enter the Portal server IP address, enter the domain name of the Portal authentication page in the browser and check whether the Portal authentication page can be displayed. If the Portal authentication page is not displayed, check whether the DNS server IP address is added as a free rule.
- View the STA's DNS server IP address.
- Check whether the DNS server IP address is added as a free rule.
  - Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Check whether the DNS server IP address is displayed in the free rule list.
  - Procedure on the CLI:
```
[AC6605-authentication-profile-portal_authen_profile] display this 
#
authentication-profile name portal_authen_profile
 portal-access-profile portal_access_profile
 free-rule-template portal_free_rule
#         
[AC6605-free-rule-portal_free_rule] display this
#
free-rule-template name portal_free_rule
 free-rule 1 destination ip 10.72.55.101 mask 255.255.255.255
#
```
- If DNS server IP address is not added as a free rule, add it to the free rule list to allow access to the DNS server IP address.
  - Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Then add a free rule.
  - Procedure on the CLI:
```
[AC6605] free-rule-template name portal_free_rule
[AC6605-free-rule-portal_free_rule] free-rule 1 destination ip 10.72.55.101 mask 32
```
- After the DNS server IP address is added as a free rule, check whether the DNS server can be pinged. If not, contact DNS support engineers from the related carrier for assistance.
Check whether a proxy has been configured in the STA browser. If yes, disable the proxy.
If the STA uses the iOS operating system, configure the portal captive-bypass enable command on the AC to enable the Captive Network Assistant (CNA) bypass function.
```
[AC6605] portal captive-bypass enable
```
To allow STAs to access an HTTPS page, configure the portal https-redirect enable command to enable the HTTPS direction function.
```
[AC6605] portal https-redirect enable
```
If the IP address to access is added to a free rule, redirection will not be performed.
Collect the following information and contact Huawei technical support personnel:
- STA type, browser type and version, as well as Portal server type
- Configuration on the AC and networking environment
- Packets captured on the STA and Portal server
- Debug information on the AP ( Portal redirection is implemented on the AP in V2R6 and later versions )
  Command
  
  Functions
  
  <Huawei> debugging portal all
  
  Debugging function of the Portal module.
Disable the debugging function after collecting debugging information.

Command	Functions
<Huawei> debugging portal all	Debugging function of the Portal module.

Troubleshooting Procedure for Authentication Failure

Check whether the user name and password are correct.
- If local authentication is used, check whether the local user name, password, and service type are configured correctly.
  - Procedure in the web system: Choose Configuration > Security > AAA > Local User, and check the local user information.
  - Procedure on the CLI:
```
[AC6605-aaa] display this  
#  
aaa  
 local-user test password cipher %^%#)P{_3raB%"d:u]99njNW=E!:Y$X'#R)f&6WDUt\6%^%#  
 local-user test privilege level 3  
 local-user test service-type web
#        
```
- If RADIUS authentication is used, run the test-aaa command to test the reachability of the RADIUS server.
  - Test result on the Diagnosis > Diagnosis Tool > AAA Test web page:
  - Command output on the CLI:
```
[AC6605] test-aaa huawei huawei radius-template huawei     
Info: Account test succeed     
```
  - If the test fails, troubleshoot the fault following the procedure in AAA Authentication Failure.
Check whether configuration in the Portal access profile is the same as that on the Portal server.
- Ensure that the correct device IP address is added to the Portal server. Otherwise, the Portal server cannot identify the device.
  By default, the source IP address in the Portal packets sent from the device to the Portal server is the IP address of the interface connected to the Portal server. That is, by default, the Portal server obtains the source IP address from the routing table. To configure the device IP address, run the source-ip command in the Portal access profile.
- Check whether the port number on the Portal server is the same as the port number on the device.
  The default port through which the device listens to Portal packets is 2000. To change the listening port number, run the web-auth-server listening-port command.
- Check whether the IP address segment of the STA is added to the STA IP address list on the Portal server.
  If the IP address segment of the STA is not added to the STA IP address list on the Portal server, the Portal server will not send Portal authentication requests from the STA to the device. As a result, the STA cannot be authenticated.
- Check whether server-ip in the Portal access profile is set to the Portal server IP address.
- Check whether the shared key in the Portal access profile is the same as that on the Portal server.
  The shared keys on the device and Portal server are in cipher text, so it is difficult to determine whether they are the same. You can configure a same new shared key on the device and Portal server. To configure a shared key on the device, run the shared-key command in the view of the Portal access profile.
Procedure for checking the shared key in the web system: Choose Configuration > Security > AAA > External Portal Server.

Procedure for checking the shard key on the CLI:
```
[AC6605] display web-auth-server configuration  
 Listening port          : 2000  
 Portal                  : version 1, version 2  
 Include reply message : enabled  
    
 ----------------------------------------------------------------- 
 Web-auth-server Name    : controller  
 IP-address              : 10.72.55.101  
 Shared-key              : %@%@FXM@YP`0d={x6_7/-ku'V'Xv%@%@  
 Source-IP               : -  
 Port / PortFlag         : 50100 / NO  
 URL                     : https://10.72.55.101:8443/webauth  
 URL Template            :  
 Redirection             : Enable  
 Sync                    : Disable  
 Sync Seconds            : 0 
 Sync Max-times          : 0 
 Detect                  : Disable  
 Detect Seconds          : 60  
 Detect Max-times        : 3  
 Detect Critical-num     : 0  
 Detect Action           :  
 Bound Portal profile    : portal_access_profile  
    
 ------------------------------------------------------------------  
 1 Web authentication server(s) in total 
  
```
Check the reference relationship of the Portal authentication profile.
- Check whether the authentication profile is bound to the VAP profile.
- Check whether the Portal access profile is bound to the authentication profile.
- Check whether the authentication-free rule profile is bound to the authentication profile.
- Check whether the Portal server profile is bound to the Portal access profile.

Collect the following information and contact Huawei technical support personnel:

Fault symptoms and preliminary troubleshooting results
Reason why a STA fails to go online or offline
- Command for checking abnormal offline records:
```
[AC6605-diagnose] display aaa abnormal-offline-record mac-address 148f-c661-b424  
```
- Command for checking online failure records:
```
[AC6605-diagnose] display aaa online-fail-record mac-address 148f-c661-b424
```
- Command for checking offline records:
```
[AC6605-diagnose] display aaa offline-record mac-address 148f-c661-b424
```
Run the preceding three commands in the diagnostic view. Otherwise, some reasons cannot be displayed due to permission restrictions.
Configuration on the AC and networking environment
Packets captured on the STA and server

Trace or debug information on the device

You can use the trace command to trace the entire system process. If the service volume is small, you can use the debugging commands listed in the following table:

Command	Functions
<Huawei> debugging portal all	Enables Portal authentication debugging.
<Huawei> debugging web all	Enables web module debugging.
<Huawei> debugging cm all	Enables UCM module debugging.
<Huawei> debugging aaa all	Enables AAA module debugging, which is used to view information such as the user authentication domain.
<Huawei> debugging radius all	Displays authentication information between a STA and the RADIUS module.
<Huawei> debugging tm all	Enables TM module debugging.

Disable the debugging function after collecting debugging information.

Common Problems
Troubleshooting Flowchart
Troubleshooting Procedure for Failure to Display the Portal Authentication Page
Troubleshooting Procedure for Authentication Failure

Translation

简体中文

Download

Updated: 2021-12-27

Document ID: EDOC1000060368

Downloads: 4411

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode