Common Built-in Portal Page Access Failures

Symptom

When a user uses the Chrome browser to access the built-in Portal page, the Connect to Wi-Fi page is displayed. After the user clicks Connect, the page is still displayed.

• The built-in Portal page fails to be opened using the Chrome browser on a PC.

• The built-in Portal page fails to be opened using the Chrome browser on a mobile phone.

Possible Causes

After connecting to a Wi-Fi network, a STA (PC or mobile phone) sends an HTTP probe request packet to a specified server through the internal tool in the system to check whether the network connectivity is normal. Before Portal authentication succeeds, the STA cannot detect the server and considers that a network connectivity issue occurs.

Upon the access to the built-in Portal server through HTTPS, the browser checks whether the Portal server certificate is issued by a trusted CA. If not, some browsers (such as Internet Explorer) display a message indicating that the web page is insecure. After ignoring the alert, the browser can continue to access the Portal server page. Some browsers (such as Chrome), however, directly interrupt the Portal server access process in this case when detecting a network connectivity issue. As a result, the Portal page cannot be opened.

Solution

There are three solutions to this problem. Solutions 1 and 2 are recommended. Solution 3 has two disadvantages: 1. The server domain names detected by STAs of different vendors may be different and cannot be completely overwritten; 2. STAs cannot automatically display a page after the detection domain name is bypassed.

• Solution 1: Purchase a certificate issued by a trusted CA and import the certificate to the device.

  If the built-in Portal server uses a valid certificate, configure the URL of the built-in Portal server. The URL must be the same as the domain name in the certificate. In addition, ensure that the DNS server on the network can resolve the domain name to the IP address of the built-in Portal server.

  The purchased certificate generally contains the CA certificate file, local certificate file, RSA key pair file, and possibly the RSA key pair password.

  To replace the built-in Portal server certificate of HTTPS, perform the following steps:

  1. Upload the CA certificate file, local certificate file, and RSA key pair file to the flash memory of the device through FTP or the web platform.
  2. Create a PKI domain and import the certificate files and key pair file to the domain.

     The following assumes that the CA certificate file is 1_root_bundle.pem, the local certificate file is 2_star_wlanportal_com.pem, and the RSA key pair file is 3_star_wlanportal_com.key.

     1. Create a PKI domain.

        [HUAWEI] pki realm test

     2. Import the CA certificate.

        [HUAWEI] pki import-certificate ca realm test pem filename 1_root_bundle.pem

     3. Import the local certificate.

        [HUAWEI] pki import-certificate local realm test pem filename 2_star_wlanportal_com.pem

     4. Import the RSA key pair.

        [HUAWEI] pki import rsa-key-pair test1 pem 3_star_wlanportal_com.key password xxxxxx

  3. Create an SSL policy and bind it to the PKI domain.

     [HUAWEI] ssl policy test type server
     [HUAWEI-ssl-policy-test] pki-realm test

  4. Disable and then enable the built-in Portal server function, and configure the built-in Portal server to use the new SSL policy.

     [HUAWEI] undo portal local-server https
     [HUAWEI] portal local-server https ssl-policy test port 2000

  5. Configure the URL of a built-in Portal server.

     [HUAWEI] portal local-server url wlc.portal.com

• Solution 2: Configure the Portal server to use the HTTP protocol.

  [HUAWEI] undo portal local-server https
  [HUAWEI] portal local-server http port 2000

• Solution 3: Configure the device to bypass the detected domain name of the server.

  The detected domain name of the server varies depending on specific STAs, as described in the following test results in the lab:

  • On PCs running Windows: www.msftconnecttest.com or www.msftncsi.com
  • On Android mobile phones: connectivitycheck.platform.hicloud.com
  • The detected domain name of the server may vary for the Android mobile phones of other vendors.
  The following uses a Windows PC as an example to describe how to bypass the domain name of the server:

  [HUAWEI] passthrough-domain name www.msftconnecttest.com id 0
  [HUAWEI] passthrough-domain name www.msftncsi.com id 1
  [HUAWEI] acl 6000
  [HUAWEI-ucl-6000] rule 5 permit ip destination passthrough-domain www.msftconnecttest.com
  [HUAWEI-ucl-6000] rule 5 permit ip destination passthrough-domain www.msftncsi.com
  [HUAWEI] free-rule-template name default_free_rule
  [HUAWEI-free-rule-default_free_rule] free-rule acl 6000

Symptom

When the AC6507S or AC6508 functions as the built-in Portal server, the Chrome browser fails to display the built-in Portal page and reports a certificate format error (ERR_SSL_SERVER_CERT_BAD_FORMAT).

Possible Causes

The local certificate preset on the device contains the special symbol &, which cannot be identified by the Chrome browser. Therefore, the browser determines that the certificate is invalid and fails to display the built-in Portal authentication page.

You can run the following command to check whether the local certificate preset on the device contains the special symbol &.

[HUAWEI] display pki certificate local realm default
Info: It will take a few seconds or more to collect data for displaying. Please wait a moment.
The x509 object type is certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:ac:78:d4:7f:c8:61:62
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=Huawei, CN=Huawei Enterprise Network Product CA
Validity
Not Before: Jul 27 14:12:50 2019 GMT
Not After : Jul 23 14:12:50 2034 GMT
Subject: C=CN, O=HUAWEI, OU=Switch & Enterprise Gateway Product Line, CN=101970072884.huawei.com
Subject Public Key Info:
...

Solution

Contact technical support engineers and provide the device ESN to apply for a new preset certificate to replace the existing one.

If the problem described in The "Connect to Wi-Fi" Page Is Always Displayed on the Chrome Browser persists after the preset certificate is updated, address the problem according to the solution provided in The "Connect to Wi-Fi" Page Is Always Displayed on the Chrome Browser.

To update the preset certificate, perform the following steps:

1. Delete the CA certificate and local certificate in the default PKI domain.

   [HUAWEI] pki delete-certificate ca realm default
   [HUAWEI] pki delete-certificate local realm default

2. Import the new CA certificate, local certificate, and RSA key pair to the default PKI domain.

   The new CA certificate file is root_ca.cer, the local certificate file is esn.cer, and the RSA key pair file is esn.cer (local certificate and RSA key pair in the same file).

   [HUAWEI] pki import-certificate ca realm default pem filename root_ca.cer
   [HUAWEI] pki import-certificate local realm default pem filename esn.cer
   [HUAWEI] pki import rsa-key-pair test pem esn.cer password xxx

3. Disable the built-in Portal server function.

   [HUAWEI] undo portal local-server https

4. Unbind the PKI domain from the SSL policy.

   [HUAWEI] ssl policy default_policy
   [HUAWEI-ssl-policy-default_policy] undo pki-realm

5. Bind the PKI domain to the SSL policy again.

   [HUAWEI] ssl policy default_policy
   [HUAWEI-ssl-policy-default_policy] pki-realm default

6. Enable the built-in Portal server function.

   [HUAWEI] portal local-server https ssl-policy default_policy port 2000