Login Through the Web System Fails
Symptom
A terminal fails to log in to a WLAN device through the web system.
Possible Causes
- The network between the PC and the WLAN device fails.
- The web file version does not match the software version of the WLAN device.
- The HTTP or HTTPS service is not enabled.
- The browser version is not supported.
- The type of the account permission does not meet the requirements.
- The number of online users reaches the upper limit.
- An ACL is configured.
- Accounting is configured for local authentication.
- (V200R019C10 and later versions) The source interface of the HTTP/HTTPS server is configured.
Troubleshooting Procedure
- Check whether the PC pings the WLAN device successfully.
Run the ping command on the PC to check whether the PC can communicate with the WLAN device.
The IP address 169.254.1.1 has been configured for the WLAN device before delivery.
The PC's IP address must be on the network segment 169.254.1.0/24 but cannot be 169.254.1.1. IP address 169.254.1.100 is recommended.
- Run the ping command on the Windows CLI of the PC to check whether the PC can ping the WLAN device.
C:\Users\Huawei> ping 169.254.1.1 Ping 169.254.1.1 with 32 bytes of data: request timed out. request timed out. request timed out. Ping statistics for 169.254.1.1: Packets:sent = 4,Received = 0, Lost = 4(100% loss)
If the message "Request time out" is displayed, the target device is unreachable.
- Run the display this command in the interface view to check whether the IP address of the WLAN device is correctly configured.
- If the IP address is incorrect, run the ip address ip-address { mask | mask-length } [ sub ] command in the interface view to reconfigure the IP address.
- Open the web system again and ensure that the IP address in https://ip-address is the same as that configured on the WLAN device.
- Run the ping command on the Windows CLI of the PC to check whether the PC can ping the WLAN device.
- Check whether the web file version matches the WLAN device's software version.
Generally, a web file is contained in the software package. If the software package has been loaded to a WLAN device, skip the following operations.
A web file is released independently for a maintenance version. If the web file has been loaded to a WLAN device, check whether the web file version is the same as the device software version.
- Check device version.
<Huawei> display version Huawei Versatile Routing Platform Software VRP (R) software, Version 5.160 (AP5030DN FIT V200R006C10SPC800) ......
Fit APs do not support the web system.
- Check the web file version that takes effect currently on the WLAN device.
<Huawei> display current-configuration | include http http server load AC6605V200R006C10SP200.001.web.zip
If the web file version is different from the current system software version of the WLAN device, the web file version does not match the current system software version of the device. Download the web file in the correct version from http://support.huawei.com/enterprise. After the web file is uploaded to the device, run the http server load file-name command in the system view to load the web file.
- Check device version.
- Check whether the HTTP/HTTPS server is enabled.
<Huawei> display http server HTTP server status : Enabled (default: disable) HTTP server port : 80 (default: 80) HTTP timeout interval : 10 (default: 10 minutes) Current online users : 0 Maximum users allowed : 5 HTTPS server status : Enabled (default: enable) HTTPS server port : 443 (default: 443) HTTPS SSL Policy : default_policy
- When a user logs in to the device using HTTP, the device forcibly switches to the HTTPS login mode. Therefore, ensure that the HTTPS server is enabled. Otherwise, the device cannot switch to the HTTPS login mode, causing a login failure.
- If the value of the HTTP server status field is disable, you cannot log in to the device through HTTP. In this case, run the http server enable command in the system view to enable the HTTP service. Alternatively, log in to the device through HTTPS, that is, enter https://ip-address in the address box of the browser to log in to the device.
- If the value of the HTTPS server status field is disable, you cannot log in to the device through the web system. In this case, run the http secure-server enable command in the system view to enable the HTTPS service.
- If the port number entered in the address box is different from the server port number, run the http server port and http secure-server port commands in the system view to configure the server port number.
- Check whether the number of online web users has reached the upper limit.
A Fat AP allows a maximum of one user and an AC allows a maximum of five users to log in to the web page at the same time. If the number of current online web users reaches the upper limit, other users cannot log in to the web page.
If a web account is used to perform operations too frequently in the web system within a short period of time, the operations are identified as attacks. In this case, the client IP address is added to the blacklist, and all web accounts that use this IP address for login are logged out. The IP address can be removed from the blacklist only after no operation is performed in two hours. You can change the client IP address to solve the problem.
<Huawei> display http server HTTP server status : Enabled (default: disable) HTTP server port : 80 (default: 80) HTTP timeout interval : 10 (default: 10 minutes) Current online users : 0 Maximum users allowed : 5 HTTPS server status : Enabled (default: enable) HTTPS server port : 443 (default: 443) HTTPS SSL Policy : default_policy
If the Current online users value is the same as the Maximum users allowed value, the number of current online web users has reached the upper limit and other users cannot log in to the WLAN device.
- Check whether the current browser version is supported.
The web system supports multiple browsers, which vary for different versions. For example, in V200R010, the web browser must be Internet Explorer 10.0, Internet Explorer 11.0, Firefox 50.0 to 54.0, or Chrome 49.0 to 58.0. If a browser of an earlier version is used, the web page may not be properly displayed.
For details, see Precautions for Using the Web Platform.- When you use the Internet Explorer browser, do not set the security level to High; otherwise, the web page cannot be displayed. When accessing the web system using the web proxy, choose Tools > Internet Options from the menu. On the Advanced tab page, select Use HTTP 1.1 through proxy connections. On the Security tab page, click Custom Level, and set Script ActiveX controls marked safe for scripting *, Run ActiveX controls and plug-ins, and Active scripting to Enable. Otherwise, the web page cannot be displayed. Here, Internet Explorer 10.0 is used as an example.
- If the message "Your browser's security settings are too high to complete this process. See the help menu for instructions on adjusting your security settings." is displayed during file upload, configure the Internet Explorer as follows:
- Choose Tools > Internet Options, click the Security tab, and click Custom Level.
- Select Enable or Prompt for Initialize and script ActiveX controls not marked as safe for scripting.
If you select Enable, the file can be uploaded directly. If you select Prompt, the message "An ActiveX control on this page might be unsafe to interact with other parts of the page. Do you want to allow this interaction?" is displayed. If you click Yes, the file can be uploaded.
- Select Enable for Include local directory path when uploading files to a server.
- After the device software version changes (for example, the software version is upgraded or rolled back) or the HTTP/HTTPS port number is changed, you are advised to clear the browser cache before using the web system. Otherwise, the web page may be incorrectly displayed.
- When you log in to the web system using the Internet Explorer, choose Tools > Internet Options. On the General tab page, click Delete, select Temporary Internet files and website files and Cookies and website data, and click Delete to clear the browser cache. Here, Internet Explorer 10.0 is used as an example.
- When you log in to the web system using the Firefox, choose Options > Privacy, click clear your recent history, select Cookie and Cache, and click Clear Now to clear the browser cache. Here, Firefox 50.0 is used as an example.
- When you log in to the web system using the Chrome, choose History, click Clear browsing data, select Cookies and other site and plug-in data and Cached images and files, and click Clear browsing data to clear the browser cache. Here, Chrome 50.0 is used as an example.
- The following uses Internet Explorer as an example. Open the browser, click Help, and choose About Internet Explorer to check the browser version.
- If the browser version is not supported by the web system, user a browser supported by the web system to log in to the WLAN device.
- Check whether the account meets the requirements.
- Check the attribute information about local user admin.
<Huawei> display local-user username admin The contents of local user(s): Password : **************** State : active Service-type-mask : TSH Privilege level : 15 Ftp-directory : - Access-limit : - Accessed-num : 0 Idle-timeout : - User-group : - Original-password : Yes Password-set-time : 2016-04-11 09:36:11+08:00 Password-expired : No Password-expire-time : -
The account must be in the active state and support HTTP. If the account is in the block state, you can run the local-user user-name state active command to activate the account.
- A login account does not meet the requirements if the local user is blocked, the password has expired, the user level is 0 or not configured, or the service type of the local user is not supported by HTTP.
- Log in to the WLAN device, and run the local-user command in the AAA view to configure information about the local login account.
- Run the local-user user-name state active command to activate the account.
- Run the local-user user-name privilege level level command to set the user level.
- Run the local-user user-name service-type http command to set the user access type to HTTP.
- Run the local-user user-name password { cipher | irreversible-cipher } password command to set a password.
- Check the attribute information about local user admin.
- Check whether an ACL is configured on the HTTP server.
- Run the display current-configuration | include http acl command in any view to check whether there is the configuration of http acl acl-number.
<Huawei> display current-configuration | include http acl http acl 2000
If there is the configuration of http acl acl-number, record the ACL number.
- Run the display acl acl-number command in any view to check whether the IP address of the web client is denied in the ACL.
If the IP address of the web client is denied in the ACL, run the undo rule rule-id command in the ACL view to delete the ACL rule and use a command to modify the ACL to allow the IP address of the web client.
- Run the display current-configuration | include http acl command in any view to check whether there is the configuration of http acl acl-number.
- Check whether authentication and accounting functions are configured.
- Check whether the accounting function is configured.
<Huawei> display accounting-scheme default Accounting-scheme-name : default Accounting-method : RADIUS ...
If Accounting-method is displayed as RADIUS, the accounting function is configured.
- When the accounting server cannot be accessed, web login fails.
- When the accounting server exists but accounting fails, the web user is immediately logged out.
Suggestion: Delete the configuration of the accounting function.
<Huawei> system-view [Huawei] aaa [Huawei-aaa] accounting-scheme default [Huawei-aaa-accounting-default] accounting-mode none
- Check whether the RADIUS authentication mode is configured in the default authentication profile.
<Huawei> display authentication-scheme default Authentication-scheme-name : default Authentication-method : RADIUS
- When no RADIUS authentication server is deployed, the RADIUS authentication mode is configured in the authentication profile. This will cause an authentication failure even if a user enters the correct user name and password.
Suggestion: Set the authentication mode in the authentication profile to local.
<Huawei> system-view [Huawei] aaa [Huawei-aaa] authentication-scheme default [Huawei-aaa-authen-default] authentication-mode local
- When a RADIUS authentication server is deployed on the network and the RADIUS server does not deliver the user level, web login fails.
There are two processing suggestions:
- Delivers the administrator level (1-15) with the attribute HW-Exec-Privilege on the RADIUS server.
- Modify the configuration on the device, set the administrator level (1-15) in the service scheme, and bind the service scheme to the domain.
<AC> system-view [AC] aaa [AC-aaa] service-scheme svcscheme1 [AC-aaa-service-svcscheme1] admin-user privilege level 15 //Set the administrator level. [AC-aaa-service-srvscheme1] quit [AC-aaa] domain huawei [AC-aaa-domain-huawei] service-scheme srvscheme1 //Bind the service scheme to the domain.
- When no RADIUS authentication server is deployed, the RADIUS authentication mode is configured in the authentication profile. This will cause an authentication failure even if a user enters the correct user name and password.
- Check whether the accounting function is configured.
- Check whether the account is locked because incorrect passwords are entered multiple times.
Run the display aaa online-fail-record username username command in any view to check whether the account is locked.
[AC] display aaa online-fail-record username admin ------------------------------------------------------------------------------ User name : admin Domain name : default_admin User MAC : - User access type : HTTP User IP address : 10.174.1.129 User IPV6 address : - User ID : 6 User login time : 2018/11/06 10:07:29 User online fail reason : Local Authentication user block Authen reply message : Authentication fail ------------------------------------------------------------------------------
If the account is locked after incorrect passwords are entered multiple times, try to log in again 5 minutes later. Otherwise, login requests are denied even if you enter the correct password during the lock period.
- Check whether management plane separation is configured.
- For devices with management interfaces, such as AC6605, ACU2, and AC6805, check whether management plane separation is enabled. If this function is enabled, the system prohibits users from accessing the management plane through service interfaces. That is, users fail to log in to the device through non-management interfaces.
- Check whether management plane separation is configured.
By default, management plane separation is enabled on a device. To log in to the device through a service interface, run the mgmt isolate disable command to disable management plane separation.
- Run the display mgmt interface command to check the management NIC of the current device and check whether the user logs in to the device through a non-management interface.
# Display the management interface on the device.
<AC> display mgmt interface --------------------------------------------------------------------------------- Interface name --------------------------------------------------------------------------------- MEth0/0/1 --------------------------------------------------------------------------------- Count:1
- Check whether management plane separation is configured.
- For a device without management interfaces, such as AC6005, check whether the management-interface command is configured on a VLANIF interface. If this configuration is found, this VLANIF interface is configured as a management interface. In this case, you cannot manage the device through other interfaces. If this configuration is necessary, use the VLANIF interface to manage the device. If this configuration is unnecessary, run the undo management-interface command on the VLANIF interface to delete the configuration.
- For devices with management interfaces, such as AC6605, ACU2, and AC6805, check whether management plane separation is enabled. If this function is enabled, the system prohibits users from accessing the management plane through service interfaces. That is, users fail to log in to the device through non-management interfaces.
- (V200R019C10 and later versions) Check whether the source interface of the HTTP/HTTPS server is configured.
In V200R019C10 and later versions, if the AC's source interface is specified, users can log in to the AC only through the specified interface.
By default, no source interface is specified. According to the factory configuration file, for a device with an Ethernet management interface, the default source interface is the Ethernet management interface; for a device without an Ethernet management interface, the default source interface is VLANIF 1.
If the specified interface is improper, run the http secure-server server-source -i { interface-type interface-number | all } command to reconfigure the source interface of the HTTP/HTTPS server, or configure a source interface (with a configured IP address configured) as the Ethernet management interface (in V200R021C00).
- After the parameter interface-type interface-number is specified, the connection to the device through any other interface is torn down.
- After the parameter all is specified, users can log in to the device through any interface. This configuration is not recommended due to low security.
- Collect fault information.
Information Type
Command View
Command
Version information
Diagnostic view
vrbd
Patch information
All views
display patch-information
HTTP server information
All views
display http server
Configuration information
All views
display current-configuration
Account information
All views
display local-user username user-name
Log information
Diagnostic view
display logfile buffer
display diag-logfile buffer
Export log files: Export all log files (in the .dblg, .log, .dblg.zip, or .log.zip format) that record the fault occurrence time in the flash:/logfile directory using FTP or the web system.