Common Portal Redirection Failures

Symptom

When a user uses a browser to access any web page, the URL of the Portal page is displayed in the address box of the browser, but the Portal page cannot be opened.

Possible Causes

The possible causes are as follows:

1. The network between the STA and the Portal server is disconnected.
2. When the AC is connected to a third-party Portal server, the Portal server may work in load balancing mode. In this case, the Portal server address is different from the Portal page URL. As a result, the AP and AC do not permit the Portal page URL.

   Check the server IP address and URL configured in the web-auth-server template. (The server IP address and URL are different.)

   [HUAWEI-web-auth-server-server_portal] display this
   #
   web-auth-server server_portal
    server-ip 12.12.12.1 12.12.12.2
    port 50100
    shared-key cipher %^%#&=*FNh9cq9Z!8CJee+u(JX1jNUQvz#b+iM#Msz3P%^%#
    url http://12.12.12.3:8080/portal
   #

Solution

1. Check the network between the STA and the Portal server. Ping the Portal server from the STA gateway to check whether the route is correct. If the ping fails, check the route configuration.
2. When the device connects to a third-party Portal server, load balancing may be performed on the Portal server. In this case, the Portal server address may be different from the Portal page URL. In this case, you can configure an authentication-free rule profile to allow packets to pass through the Portal page URL.

   Configure the authentication-free rule profile to allow packets from the Portal URL to pass through, and bind the authentication-free rule profile to the authentication profile.

   [HUAWEI]free-rule-template name default_free_rule
   [HUAWEI-free-rule-default_free_rule] free-rule 0 destination ip 12.12.12.3 mask 255.255.255.255
   [HUAWEI] authentication-profile name  authen_portal
   [HUAWEI-authentication-profile-authen_portal] free-rule-template default_free_rule

Symptom

After a user enters any IP address in the address box of the browser, the user can be redirected to the Portal page and can access the page normally. However, after a user enters any domain name, the user cannot be redirected to the Portal page.

Possible Causes

If a STA cannot access the DNS server before passing Portal authentication, the possible causes are as follows:

• No DNS server is deployed on the network. (Generally, no DNS server is deployed in the test phase.)
• The DNS server IP address is not permitted on the AC and AP by running the free-rule command.
• The network between the STA and the DNS server is disconnected.

Solution

1. Check whether a DNS server exists on the network and whether the DHCP server assigns a DNS server to the STA. If no DNS server exists on the network, the access domain name cannot trigger redirection.
2. Check whether the DNS server IP address is permitted in the authentication-free rule profile. If not, permit the DNS server IP address in the authentication-free rule profile and bind the authentication-free rule profile to the authentication profile.

   [HUAWEI]free-rule-template name default_free_rule
   [HUAWEI-free-rule-default_free_rule] free-rule 1 destination ip 114.114.114.114 mask 255.255.255.255
   [HUAWEI] authentication-profile name  authen_portal
   [HUAWEI-authentication-profile-authen_portal] free-rule-template default_free_rule

3. On the STA gateway, ping the DNS server to check whether the route is reachable. If the ping fails, check the intermediate network.
4. Run the nslookup command on the STA to check whether the DNS server can correctly resolve the domain name. If not, check the DNS server.

Symptom

When a third-party Portal server is connected, the browser can be redirected to the URL of the Portal page, but the Portal page cannot be opened. The URL of the Portal page contains %XX, for example, http://12.12.12.1:8080/portal?ac %2Dip=100%2E1%2E1%2E1&userip=200%2E1%2E1%2E172&ssid=portal %5Ftest.

Possible Causes

By default, the Portal URL encoding and decoding function is enabled on the device.

URL encoding encodes special characters (that is, characters that are not simple 7-bit ASCII characters, such as Chinese characters) in hexadecimal format using the percent sign (%), including special characters such as the equal sign (=), ampersand (&), and percent sign (%). The URL encoding is actually a hexadecimal character ASCII code. However, there is a slight change, and "%" needs to be added to the beginning. For example, the ASCII code of a backslash (\) is 92, and the hexadecimal number of 92 is 5c. Therefore, the URL encoding result of a backslash (\) is %5c. The URL coding table can be found on the Internet. Some Portal servers do not support this encoding format. When the URL encoding function is enabled on the device, redirection fails.

Solution

Disable the Portal URL encoding function on the device.

[HUAWEI] undo portal url-encode enable

Symptom

After an Apple terminal connects to a wireless network, the Portal authentication page is not automatically displayed.

Possible Causes

• If this problem occurs on all Apple terminals, the possible causes are as follows:
  • The CNA bypass function is enabled on the device (with the portal captive-bypass enable command incorrectly configured).
  • The device permits the domain name (captive.apple.com) of the server detected by the Apple terminal, its sub-domain names, or the IP address corresponding to this domain name through the authentication-free rule.
  • The Portal server uses HTTPS, and the Portal server website does not have a valid certificate.
• If this problem occurs on some Apple terminals, there is a high probability that the problem is caused by the terminals themselves. The possible cause is that the terminals use the internal detection tool to send detection requests to the Apple server after connecting to the wireless network, but do not invoke the browser to send detection requests. As a result, the detection page cannot be automatically displayed.

Solution

• If this problem occurs on all Apple terminals, perform the following steps:
  1. Check whether the CNA bypass function is configured. If so, disable the CNA bypass function.

     [HUAWEI] undo portal captive-bypass enable

  2. Check whether the authentication-free rule permits the domain name of the server detected by the Apple terminal or the IP address corresponding to the domain name. If so, delete the domain name or IP address from the authentication-free rule.
     1. Check the configuration in the authentication-free rule profile.

        [HUAWEI] free-rule-template name default_free_rule
        [HUAWEI-free-rule-default_free_rule] display this
        #
        free-rule-template name default_free_rule
         free-rule acl 6000
        #

     2. Check the ACL configuration.

        [HUAWEI] acl 6000
        [HUAWEI-acl-ucl-6000] display this
        #
        acl number 6000
         rule 5 permit ip destination 114.114.114.114 0
         rule 10 permit ip destination passthrough-domain captive.apple.com
        #

     3. Delete the domain name of the bypass Apple detection server.

        [HUAWEI] acl 6000
        [HUAWEI-acl-ucl-6000] undo rule 10

  3. Check the protocol used by the Portal server page. You can use a browser to access any website to jump to the Portal page and view the URL in the address bar of the browser. If the URL starts with https://, the Portal server page uses HTTPS. You are advised to change the protocol to HTTP or purchase a valid certificate.
• If this problem occurs on some Apple terminals, you are advised to obtain wireless packets on the terminal side for analysis.

Symptom

After a user enters any IP address and domain name on a STA, the STA cannot be redirected.

Possible Causes

The possible cause is that the Portal server detection function is enabled in the web-auth-server template by mistake.

[HUAWEI] web-auth-server test
[HUAWEI-web-auth-server-test] display this
#
web-auth-server test
 server-ip 12.12.12.6
 port 50100
 shared-key cipher %^%#N|):V]!Q-,Og!^95TW9I:(wsM_VyjF~"n*L@.ay2%^%#
 url http://12.12.12.6
 server-detect
#

The implementation mechanism of the server-detect command is as follows: The Portal server proactively sends heartbeat packets to the device. The device checks whether heartbeat packets are received every 100s. If the device does not receive heartbeat packets for three consecutive times, the device sets the Portal server status to Down and does not perform redirection. In this case, you can run the display server-detect state web-auth-server command to check the status of the Portal server. If the status field is Abnormal, the Portal server is Down.

[HUAWEI] display server-detect state web-auth-server test
Web-auth-server     :    test
Total-servers       :    1
Live-servers        :    0
Critical-num        :    0
Status              :    Abnormal
Ip-address               Status
12.12.12.6               DOWN
#

Solution

• If the Agile Controller is used as the Portal server, select Enable heartbeat between access device and Portal server in the Authentication Parameters tab page.

• Generally, a third-party Portal server does not support this function. You are advised to delete the server-detect configuration.