No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AR2220 Fails to Configure Portal Authentication Associated with RADIUS

AR2220 Fails to Configure Portal Authentication Associated with RADIUS

Keywords

AR2220, RADIUS, Portal authentication, failure

Abstract

AR2220 fails to configure Portal authentication associated with RADIUS.

Problem Description

As shown in the following figure, AR2220 connects to networks as an access device. Servers with the IP address being 192.168.30.250/24 function as RADIUS and Portal authentication servers. Portal authentication associated with RADIUS needs to be configured on AR devices. After configuration is completed, Portal authentication page can be pushed to users. However, when users enter the user name and password, the page displays an authentication failure.

AR configuration is shown as follows:

#
radius-server template rd1 
radius-server shared-key cipher %^%#%f&o@nS,(WOKb5L-g0:(>}(l%^%# 
radius-server authentication 192.168.30.250 1812 weight 80 
radius-server accounting 192.168.30.250 1813 weight 80 
radius-server retransmit 2 
undo radius-server user-name domain-included
#
web-auth-server portal server-ip 192.168.30.250 port 50100 shared-key cipher %^%#0w/^)`Wj-S&rq\1da@)S>xG)%^%# url http://192.168.30.250:9098

Procedure

  1. Run the display web-auth-server configuration command to view configuration of the Portal authentication server. The IP address of the Portal authentication server is 192.168.30.250/24 while that of the AR device that communicates with it is 192.168.30.254/24. The Portal server communicates with VLANIF interfaces on the AR advice.
  2. Users can start the web browser and enter the user name and password on the authentication page. The displayed RADIUS server log indicates that users have passed the RADIUS authentication. Therefore, no fault occurs during packets transmission between the access device and the RADIUS server.
  3. Run the following commands to enable the debugging function. Start the web browser on a PC and enter the user name and password on the authentication page to view the debugging information of the access device.

    <Huawei> debugging portal all
    <Huawei> debugging web all
    <Huawei> debugging cm all
    <Huawei> debugging aaa all
    <Huawei> debugging radius all
    <Huawei> terminal monitor
    <Huawei> terminal debugging
    <Huawei> debugging timeout 0

    The debugging information is shown as follows:

    Sep 17 2015 12:37:08.925.31+00:00 Huawei WEB/7/DEBUG: Sent packet to socket (length = 16 ): Version: 1 Type: authentication ack Method: chap SerialNo: 14223 RequestID: 22 UserIP: 192.168.20.245 ErrorCode: 4 AttributeNumber: 0

    The above information shows that the access device sends response packets for authentication to both RADIUS server and Portal server. However, there is no debugging information displaying the Type field that is ack of authentication ack. The above result indicates that after the Portal server received authentication response packets from the access device, it did not send confirmation packets to it. As a result, the device authentication timed out, which caused the authentication failure.

  4. The Portal server log shows that it received authentication response packets from the access device but the packets displayed the user authentication failure. Therefore, the Portal server did not send confirmation packets to the device, which caused the authentication failure.
  5. It is confirmed that RADIUS authentication was performed successfully while the access device sent response packets displaying authentication failure to the Portal server. It is suspected that the device interfaces failed to be authorized. Run the display device command to view the device board type. It is confirmed that the board type is 4ES2G-S, which does not support NAC function or Portal user access. Replace the board with another one that supports NAC function. As a result, the problem is addressed.

Root Cause

Users use the board that does not support the Portal user access, which causes the authentication failure.

Solution

Replace the board with another one that supports NAC function, such as 8FE1GE or 24GE.

Summary and Suggestion

When users configure Portal authentication on routers by enabling users to be accessed on interfaces, it must be confirmed that these boards support NAC function, otherwise the Portal authentication may fail. Boards including 4GE-2S, 4ES2G-S, 4ES2GP-S and 9ES2 do not support NAC function.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 455998

Downloads: 4321

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next