Portal Authentication Failure
Common Problems
- The Portal authentication page cannot be displayed.
- The STA cannot pass Portal authentication.
Troubleshooting Flowchart
Troubleshooting Procedure for Failure to Display the Portal Authentication Page
Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel.
- Check whether the STA is successfully associated with an AP using either of the following methods. If the STA fails to associate with the AP, troubleshoot the problem following the procedure in Association Failure.
Methods for checking whether an STA is associated with an AP:
- Check the STA association entry.
- Check the user entry.
- Procedure in the web system: Choose Monitoring > User > User List.
- Procedure on the CLI: Run the display access-user command in any view, and view the AP system profile used by the AP group.
[AC6605] display access-user ---------------------------------------------------------------- UserID Username IP address MAC Status ---------------------------------------------------------------- 18 98fae34a6cbc 10.23.101.254 98fa-e34a-6cbc Pre-authen -----------------------------------------------------------------
- Procedure in the web system: Choose Monitoring > User > User List.
If a Portal user is successfully associated with an AP, the value of Status in the display access-user command output is Pre-authen. If a Portal user is authenticated successfully, the value of Status in the display access-user command output is Success.
- Check whether the link between the AC and Portal server is faulty.
You can use the ping command to check the link between the AC and Portal server.
- Check whether Portal authentication is configured correctly on the AC.
- Check whether Server IP in the Portal server profile is set to the Portal server IP address.
- Procedure in the web system: Choose Configuration > Security > AAA > External Portal Server > Modify Authentication Server.
- Procedure on the CLI:
[AC6605-web-auth-server-controller] display this # web-auth-server controller server-ip 10.72.55.101 port 50100 shared-key cipher %^%#_z>{/,yLK9s}Bo>mLhW+N;+:5e36HLXNP|G|Is"$% url https://10.72.55.101:8445/PortalServer #
- Procedure in the web system: Choose Configuration > Security > AAA > External Portal Server > Modify Authentication Server.
- Check whether the Portal profile is bound to the Portal access profile and whether the Portal access profile is bound to the related authentication profile.
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile.
- Procedure on the CLI:
[AC6605] authentication-profile name portal_authen_profile [AC6605-authentication-profile-portal_authen_profile] display this # authentication-profile name portal_authen_profile portal-access-profile portal_access_profile free-rule-template portal_free_rule # return [AC6605-authentication-profile-portal_authen_profile] quit [AC6605] portal-access-profile name portal_access_profile [AC6605-portal-access-profile-portal_access_profile] display this # portal-access-profile name portal_access_profile web-auth-server controller direct # return
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile.
- Check whether the authentication profile is bound to the VAP profile.
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile, select the Portal authentication profile, and click the Display Reference button.
- Procedure on the CLI: Run the display this command in the VAP profile view.
[AC6605-wlan-view] vap-profile name guest [AC6605-wlan-vap-prof-guest] display this # forward-mode tunnel service-vlan vlan-id 242 ssid-profile guest security-profile wlan-security authentication-profile portal_authen_profile # return
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile, select the Portal authentication profile, and click the Display Reference button.
- Check whether Server IP in the Portal server profile is set to the Portal server IP address.
- In the browser, enter the Portal server IP address. Check whether the Portal authentication page can be displayed. If the Portal authentication page is not displayed, check Portal server configuration.
- Check whether the Portal server process has started normally.
- Contact Portal server engineers for assistance.
- If the Portal authentication page can be displayed after you enter the Portal server IP address, enter the domain name of the Portal authentication page in the browser and check whether the Portal authentication page can be displayed. If the Portal authentication page is not displayed, check whether the DNS server IP address is added as a free rule.
- View the STA's DNS server IP address.
- Check whether the DNS server IP address is added as a free rule.
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Check whether the DNS server IP address is displayed in the free rule list.
- Procedure on the CLI:
[AC6605-authentication-profile-portal_authen_profile] display this # authentication-profile name portal_authen_profile portal-access-profile portal_access_profile free-rule-template portal_free_rule # [AC6605-free-rule-portal_free_rule] display this # free-rule-template name portal_free_rule free-rule 1 destination ip 10.72.55.101 mask 255.255.255.255 #
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Check whether the DNS server IP address is displayed in the free rule list.
- If DNS server IP address is not added as a free rule, add it to the free rule list to allow access to the DNS server IP address.
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Then add a free rule.
- Procedure on the CLI:
[AC6605] free-rule-template name portal_free_rule [AC6605-free-rule-portal_free_rule] free-rule 1 destination ip 10.72.55.101 mask 32
- Procedure in the web system: Choose Configuration > Security > AAA > Authentication Profile. Under the related authentication profile, choose Authentication-free Rule Profile. Then add a free rule.
- After the DNS server IP address is added as a free rule, check whether the DNS server can be pinged. If not, contact DNS support engineers from the related carrier for assistance.
- View the STA's DNS server IP address.
- Check whether a proxy has been configured in the STA browser. If yes, disable the proxy.
- If the STA uses the iOS operating system, configure the portal captive-bypass enable command on the AC to enable the Captive Network Assistant (CNA) bypass function.
[AC6605] portal captive-bypass enable
- To allow STAs to access an HTTPS page, configure the portal https-redirect enable command to enable the HTTPS direction function.
[AC6605] portal https-redirect enable
- If the IP address to access is added to a free rule, redirection will not be performed.
- Collect the following information and contact Huawei technical support personnel:
- STA type, browser type and version, as well as Portal server type
- Configuration on the AC and networking environment
- Packets captured on the STA and Portal server
- Debug information on the AP ( Portal redirection is implemented on the AP in V2R6 and later versions )
Command
Functions
<Huawei> debugging portal all
Debugging function of the Portal module.
Disable the debugging function after collecting debugging information.
Troubleshooting Procedure for Authentication Failure
- Check whether the user name and password are correct.
- If local authentication is used, check whether the local user name, password, and service type are configured correctly.
- Procedure in the web system: Choose Configuration > Security > AAA > Local User, and check the local user information.
- Procedure on the CLI:
[AC6605-aaa] display this # aaa local-user test password cipher %^%#)P{_3raB%"d:u]99njNW=E!:Y$X'#R)f&6WDUt\6%^%# local-user test privilege level 3 local-user test service-type web #
- Procedure in the web system: Choose Configuration > Security > AAA > Local User, and check the local user information.
- If RADIUS authentication is used, run the test-aaa command to test the reachability of the RADIUS server.
- Test result on the Diagnosis > Diagnosis Tool > AAA Test web page:
- Command output on the CLI:
[AC6605] test-aaa huawei huawei radius-template huawei Info: Account test succeed
- If the test fails, troubleshoot the fault following the procedure in AAA Authentication Failure.
- Test result on the Diagnosis > Diagnosis Tool > AAA Test web page:
- If local authentication is used, check whether the local user name, password, and service type are configured correctly.
- Check whether configuration in the Portal access profile is the same as that on the Portal server.
- Ensure that the correct device IP address is added to the Portal server. Otherwise, the Portal server cannot identify the device.
By default, the source IP address in the Portal packets sent from the device to the Portal server is the IP address of the interface connected to the Portal server. That is, by default, the Portal server obtains the source IP address from the routing table. To configure the device IP address, run the source-ip command in the Portal access profile.
- Check whether the port number on the Portal server is the same as the port number on the device.
The default port through which the device listens to Portal packets is 2000. To change the listening port number, run the web-auth-server listening-port command.
- Check whether the IP address segment of the STA is added to the STA IP address list on the Portal server.
If the IP address segment of the STA is not added to the STA IP address list on the Portal server, the Portal server will not send Portal authentication requests from the STA to the device. As a result, the STA cannot be authenticated.
- Check whether server-ip in the Portal access profile is set to the Portal server IP address.
- Check whether the shared key in the Portal access profile is the same as that on the Portal server.
The shared keys on the device and Portal server are in cipher text, so it is difficult to determine whether they are the same. You can configure a same new shared key on the device and Portal server. To configure a shared key on the device, run the shared-key command in the view of the Portal access profile.
Procedure for checking the shared key in the web system: Choose Configuration > Security > AAA > External Portal Server.
Procedure for checking the shard key on the CLI:
[AC6605] display web-auth-server configuration Listening port : 2000 Portal : version 1, version 2 Include reply message : enabled ----------------------------------------------------------------- Web-auth-server Name : controller IP-address : 10.72.55.101 Shared-key : %@%@FXM@YP`0d={x6_7/-ku'V'Xv%@%@ Source-IP : - Port / PortFlag : 50100 / NO URL : https://10.72.55.101:8443/webauth URL Template : Redirection : Enable Sync : Disable Sync Seconds : 0 Sync Max-times : 0 Detect : Disable Detect Seconds : 60 Detect Max-times : 3 Detect Critical-num : 0 Detect Action : Bound Portal profile : portal_access_profile ------------------------------------------------------------------ 1 Web authentication server(s) in total
- Ensure that the correct device IP address is added to the Portal server. Otherwise, the Portal server cannot identify the device.
- Check the reference relationship of the Portal authentication profile.
- Check whether the authentication profile is bound to the VAP profile.
- Check whether the Portal access profile is bound to the authentication profile.
- Check whether the authentication-free rule profile is bound to the authentication profile.
- Check whether the Portal server profile is bound to the Portal access profile.
- Collect the following information and contact Huawei technical support personnel:
- Fault symptoms and preliminary troubleshooting results
- Reason why a STA fails to go online or offline
- Command for checking abnormal offline records:
[AC6605-diagnose] display aaa abnormal-offline-record mac-address 148f-c661-b424
- Command for checking online failure records:
[AC6605-diagnose] display aaa online-fail-record mac-address 148f-c661-b424
- Command for checking offline records:
[AC6605-diagnose] display aaa offline-record mac-address 148f-c661-b424
Run the preceding three commands in the diagnostic view. Otherwise, some reasons cannot be displayed due to permission restrictions.
- Command for checking abnormal offline records:
- Configuration on the AC and networking environment
- Packets captured on the STA and server
- Trace or debug information on the deviceYou can use the trace command to trace the entire system process. If the service volume is small, you can use the debugging commands listed in the following table:
Command
Functions
<Huawei> debugging portal all
Enables Portal authentication debugging.
<Huawei> debugging web all
Enables web module debugging.
<Huawei> debugging cm all
Enables UCM module debugging.
<Huawei> debugging aaa all
Enables AAA module debugging, which is used to view information such as the user authentication domain.
<Huawei> debugging radius all
Displays authentication information between a STA and the RADIUS module.
<Huawei> debugging tm all
Enables TM module debugging.
Disable the debugging function after collecting debugging information.