Key Configuration Check

WLAN Troubleshooting Guide

About This Document
Using eDesk Pro for Network Inspection and Troubleshooting
Using Troubleshooting Insights
Risky Operations
- Hardware-Related Risky Operations
- Software-Related Risky Operations
Routine Maintenance
- Routine Maintenance Overview
- Before You Start
- Checking the Device Environment
  - Checking the Equipment Room Environment
  - Checking the Cable Status
- Checking Basic Device Information
  - Checking the Indicator Status
  - Checking for Critical or Major Alarms on an AC
- Checking the Device Running Status
- Checking Interface Information
- Checking Services
  - Checking the User Status
- Fault Information Collection and Feedback
Troubleshooting: Hardware
- Hardware Overview
- Troubleshooting Guidelines for Hardware
- Troubleshooting Cases for Hardware Faults
- Hardware FAQs
Troubleshooting: STA Experience Faults
- Troubleshooting Guidelines for STA Experience Faults
- Troubleshooting Cases for STA Experience Issues
- STA Experience FAQs
Troubleshooting: AP Joining Faults
- Troubleshooting Guidelines for AP Joining Faults
  - An AP Fails to Go Online on the AC
  - An AP Goes Offline Unexpectedly
- Troubleshooting Cases for AP Onboarding Issues
- AP Onboarding FAQs
Troubleshooting: STA Onboarding Faults
- Troubleshooting Guidelines for STA Onboarding Faults
- Troubleshooting Cases for STA Onboarding Issues
- STA Onboarding FAQs
Troubleshooting: Wireless Access Authentication Issues
- 802.1X Authentication Failures
- HTTP-based External Portal Authentication Failures
- Failures in External Portal Authentication Using the Portal Protocol
- Portal Redirection Failures
- Built-in Portal LDAP or AD Authentication Failures
- Failure to Access the Built-in Portal Page
  - Key Configuration Check
  - Common Built-in Portal Page Access Failures
- Troubleshooting Cases for STA Authentication Failures
- WLAN Authentication FAQs
Troubleshooting: Device Login Faults
- Troubleshooting Guidelines for Device Login Faults
- Device Login FAQs
Troubleshooting: Device Upgrade Faults
- Troubleshooting Guidelines for Device Upgrade Faults
- Troubleshooting Cases for Device Upgrade Failures
  - Case Study: Intelligent Upgrade Fails Because the CA Certificate on the AC Does Not Match That on the HOUP Server
  - Case Study: AP5030DN Upgrade and Mode Switching Are Abnormal Because the AP5030DN Enters the Assistant Package Mode
- Device Upgrade FAQs
Troubleshooting: Device Management Faults
- Troubleshooting Guidelines for Device Management Faults
- Device Management FAQs
Troubleshooting: Reliability Faults
- Troubleshooting Guidelines for Reliability Faults
- Troubleshooting Cases for Reliability Issues
- Reliability FAQs
Troubleshooting: Wireless Bridge Service Faults
- Troubleshooting Guidelines for Wireless Bridge Service Faults
- Wireless Bridge FAQs
Troubleshooting: Radio Management Service Faults
- Troubleshooting Guidelines for Radio Management Service Faults
  - Radio Calibration Does Not Take Effect
  - AI Roaming Does Not Take Effect
- Radio Management FAQs
Troubleshooting: Cloud Management Faults
- Troubleshooting Guidelines for Cloud Management Faults
- Troubleshooting Cases for Cloud Management Faults
  - Case Study: Fit APs Managed by a Cloud AC Fail to Go Online Due to Insufficient License Resources on the Cloud Management Platform
  - Case Study: In a VRRP Backup Scenario, a Loop Occurs on the Network When ACs Connect to the Cloud in PnP Auto-Negotiation Mode
Troubleshooting: CPE Service Faults
- Troubleshooting Guidelines for CPE Service Faults
- Troubleshooting Cases for CPE Service Faults
  - Case Study: When a CPE Roams Repeatedly, Terminals Connected to the CPE Are Intermittently Disconnected
  - Case Study: An Exception Occurs on a CPE Tunnel Due to EoGRE Configuration Changes
- CPE Service FAQs
  - How Can I Know the CPE Connected to a Wired Terminal and Its Uplink AP?
  - How Do I Collect CPE Fault Information by One Click?
Troubleshooting: Others
- Troubleshooting Guidelines for Other WLAN Service Faults
  - User Rate Limiting Does Not Take Effect
- Troubleshooting Cases for Other WLAN Service Issues
  - Case Study: Two STAs Connected to the Same SSID on the Same AP Cannot Communicate with Each Other Because the traffic-optimize bcmc deny all Command Is Executed on the Device
- FAQs About Other WLAN Services
TechNotes
- WLAN Network Optimization
- How an AP Joins an AC and Troubleshooting Any Join Failures
- How to Log In to WLAN ACs and APs
- Troubleshooting WLAN Password Issues
- AP Mode Switching - Overview, Configuration Examples, and Troubleshooting
- TechNotes: Mapping Between WACs and APs
- TechNotes: Wireless Packet Obtaining
- VLAN Deployment Guide for WLAN
- WLAN Performance Test Guide
- How to Configure Option 43 When Huawei APs Are Connected to DHCP Servers of Different Vendors
- Common WLAN Configuration Errors
Appendix: Common Information Collection and Fault Diagnostic Commands
- Information Collection
- Typical Fault Information Collection
- System Maintenance Methods
- Common Fault Diagnostic Commands
Appendix: Indicators
Contacting Huawei Technical Support

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Key Configuration Check

Built-in Portal Server Configuration
VAP Profile Configuration
Authentication Mode Configuration
LDAP Server Template Configuration
AD Server Template Configuration

Built-in Portal Server Configuration

Check whether the built-in Portal server is enabled, including whether the server is enabled and the authentication mode is PAP, and whether the IP address, protocol, and port of the server are correct.

[HUAWEI] display portal local-server
Portal local-server config       :
 server status                   : enable
 Heartbeat-check status          : disable
 server ip                       : 200.1.1.1
 authentication method           : pap // Only PAP is supported for the AD/LDAP server.
 protocol                        : https
 https ssl-policy                : default_policy
 server max-user                 : 1024
 server port                     : 2000

If the built-in Portal server function is disabled, use either of the following two methods to enable the function:

Enable the built-in Portal server of the HTTP protocol.

#
portal local-server ip 200.1.1.1
portal local-server http port 2000
portal local-server authentication-method pap
#

Enable the built-in Portal server of the HTTPS protocol.

#
portal local-server ip 200.1.1.1
portal local-server https ssl-policy default_policy port 2000
portal local-server authentication-method pap
#

VAP Profile Configuration

Find the corresponding VAP profile based on the SSID, and check the configurations of the VAP profile, including the configuration of the authentication profile.

Run the display vap-profile all command to check all VAP profiles and find the corresponding VAP profile based on the SSID.

[HUAWEI] display vap-profile all
FMode   : Forward mode
STA U/D : Rate limit client up/down
VAP U/D : Rate limit VAP up/down
BR2G/5G : Beacon 2.4G/5G rate
---------------------------------------------------------------
Name              FMode    Type     VLAN      AuthType   STA U/D(Kbps)  VAP U/D(Kbps)  BR2G/5G(Mbps)  Reference  SSID
---------------------------------------------------------------
default           direct   service  VLAN 1    Open         -/-          -/-             1/6            0         HUAWEI-WLAN
vap_localportal tunnel   service  VLAN 200  Open+Portal  -/-          -/-             1/6            3         localportal_test
---------------------------------------------------------------
Total: 2

Check the configuration of the VAP profile, and find the authentication profile bound to the VAP profile.

[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name vap_localportal
[HUAWEI-wlan-vap-prof-vap_localportal]display this
#
 forward-mode tunnel
 service-vlan vlan-id 200
 ssid-profile localportal
 authentication-profile authen_localportal
#

Check the configuration of the authentication profile. It must have a Portal access profile bound.

[HUAWEI] authentication-profile name authen_localportal
[HUAWEI-authentication-profile-authen_localportal] display this
#
authentication-profile name authendot1x
 portal-access-profile access_localportal
 access-domain domain_test
#

Check the configuration of the Portal access profile. The built-in Portal server must be enabled.

[HUAWEI] portal-access-profile name access_localportal
[HUAWEI-portal-access-profile-access_localportal] display this
#
portal-access-profile name access_localportal
 portal local-server enable
#

Authentication Mode Configuration

In LDAP authentication scenarios, the authentication mode must be set to LDAP authentication and the LDAP server template must be applied. In AD authentication scenarios, the authentication mode must be set to AD authentication and the AD server template must be applied.

The authentication mode is specified in an authentication scheme. An authentication scheme can be applied using either of the following two methods: Method 1: Apply it to an authentication profile directly. Method 2: Apply it to a domain, which is then bound to the authentication profile. The first method has a higher priority than the second method. If both methods are configured, the first method takes effect, and the default or forcible domain configured in the authentication profile using the second method does not take effect.

Method 1: Apply an authentication scheme to an authentication profile.

LDAP authentication: When an authentication scheme is applied to an authentication profile, apply an LDAP server template to the authentication profile.

[HUAWEI] authentication-profile name authen_localportal
[HUAWEI-authentication-profile-authen_localportal] display this
#
authentication-profile name authen_localportal
 portal-access-profile access_localportal
 authentication-scheme ldap
 ldap-server ldap_test
#

AD authentication: When an authentication scheme is applied to an authentication profile, apply an AD server template to the authentication profile.

[HUAWEI] authentication-profile name authen_localportal
[HUAWEI-authentication-profile-authen_localportal] display this
#
authentication-profile name authen_localportal
 portal-access-profile access_localportal
 authentication-scheme ad
 ldap-server ad_test
#

Method 2: Apply an authentication scheme to a domain.

LDAP authentication: When an authentication scheme is applied to a domain, apply an LDAP server template to the domain.

[HUAWEI] aaa
[HUAWEI-aaa] domain domain_test
[HUAWEI-aaa-domain-domain_test] display this
#
 domain domain_test
  authentication-scheme ldap
  ldap-server ldap_test
#

Subsequently, configure the default or forcible domain in the authentication profile. You are advised to configure a default domain without specifying the access type in the authentication profile.

[HUAWEI] authentication-profile name authen_localportal
[HUAWEI-authentication-profile-authen_localportal] display this
#
authentication-profile name authen_localportal
 portal-access-profile access_localportal
 access-domain domain_test
#

AD authentication: When an authentication scheme is applied to a domain, apply an AD server template to the domain.

[HUAWEI] aaa
[HUAWEI-aaa] domain domain_test
[HUAWEI-aaa-domain-domain_test] display this
#
 domain domain_test
  authentication-scheme ad
  ldap-server ad_test
#

Subsequently, configure the default or forcible domain in the authentication profile. You are advised to configure a default domain without specifying the access type in the authentication profile.

[HUAWEI] authentication-profile name authen_localportal
[HUAWEI-authentication-profile-authen_localportal] display this
#
authentication-profile name authen_localportal
 portal-access-profile access_localportal
 access-domain domain_test
#

The authentication domain for a terminal is selected in descending order of priority: forcible domain for a specified access type > forcible domain with no access type specified > valid domain carried in the user name > default domain for a specified access type > default domain with no access type specified > global default domain. The following are configuration examples of different domains:

Forcible domain for a specified access type:

[HUAWEI-authentication-profile-authen_portal] display this
#
authentication-profile name authen_portal
 portal-access-profile access_portal
 access-domain domain_test portal force

Forcible domain with no access type specified:

[HUAWEI-authentication-profile-authen_portal] display this
#
authentication-profile name authen_portal
 portal-access-profile access_portal
 access-domain domain_test force

Valid domain carried in the user name: The user name used for authentication contains the domain name in @ format, and the domain has been created on the device.

Default domain for a specified access type:

[HUAWEI-authentication-profile-authen_portal] display this
#
authentication-profile name authen_portal
 portal-access-profile access_portal
 access-domain domain_test portal

Default domain with no access type specified:

[HUAWEI-authentication-profile-authen_portal] display this
#
authentication-profile name authen_portal
 portal-access-profile access_portal
 access-domain domain_test

Global default domain: It is specified by the domain xxx command in the system view.

LDAP Server Template Configuration

When configuring an LDAP server template, pay attention to the authentication server address, Base DN, administrator DN and password, and server type.

The user-filter field depends on the type of the interconnected server and is configured based on the specific server requirements. For example, the user-filter field of an AD LDAP server is sAMAccountName, that of an Open LDAP server or IBM Tivoli LDAP server is cn, and that of a Sun ONE LDAP server is uid.

[HUAWEI] ldap-server template ldap_test
[HUAWEI-ldap-ldap_test] display this
#
ldap-server template ldap_test
 ldap-server authentication 12.12.12.9 389
 ldap-server authentication manager cn=administrator,cn=users xxxx
 undo ldap-server authentication base-dn dc=my-domain,dc=com
 ldap-server authentication base-dn dc=test1,dc=com
 ldap-server server-type ad-ldap
 ldap-server group-filter ou
 ldap-server user-filter sAMAccountName
 ldap-server pki-realm test  //In V2R22C00 and later versions, the domain name must be specified.
#

AD Server Template Configuration

When configuring an AD server template, pay attention to the authentication server address, Base DN, administrator DN and password, and server hostname.

[HUAWEI] ad-server template ad_test
[HUAWEI] display this
#
ad-server template ad_test
 ad-server pki-realm test //In V200R022C00 and later versions, the domain name must be specified.
 ad-server authentication 12.12.12.9 88
 ad-server authentication base-dn dc=test1,dc=com
 ad-server authentication manager cn=administrator,cn=users xxxxx
 ad-server authentication host-name WIN-LVA6RGM4LD6.test1.com
 ad-server authentication ldap-port 389
 ad-server user-filter sAMAccountName
 ad-server group-filter ou
#

Built-in Portal Server Configuration
VAP Profile Configuration
Authentication Mode Configuration
LDAP Server Template Configuration
AD Server Template Configuration

Translation

简体中文

Download

Updated: 2023-06-02

Document ID: EDOC1000060368

Downloads: 5824

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate