No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Users Fail Portal Authentication Through AR511

Users Fail Portal Authentication Through AR511

Keywords

User, AR511, Portal authentication, failure

Abstract

Users need to access the WLAN through AR511. When the AR511 pushes Portal authentication page to users, the users fail the authentication.

Problem Description

As shown in Figure 1, a user attempts to access the Internet through WiFi. When the user enters the user name and password on the login page, the web page displays an authentication failure.

Figure 28-5  User accesses the Internet through WiFi

Procedure

  1. Obtain authentication packet information from the AR511 using the third-party software.

    The Radius authentication server sends the following authentication response packet to the client:

    As shown in the preceding figure, the packet contains only the IP address mask, but does not contain the IP address.

  2. Log in to the AR511 to check whether the AR511 has a valid IP address.

    Run the debugging aaa all command to enable all debugging functions of the AAA module.

    <Huawei> debugging aaa all 
    2014 03:51:21.199.3+00:00 Huawei AAA/7/DEBUG:
    [AAA ERROR]The corresponding ip is invalid or not configured. 

    The preceding information shows that the IP address is invalid. This indicates that the AR511 checks IP address validity after receiving authorization information from the server. If the IP address is invalid, the AR511 returns an authentication failure.

    Huawei AR routers require that the Framed-IP-Netmask and Framed-IP-Address attributes must be used together. Therefore, to ensure successful authentication, the IP address and IP address mask must be configured together; otherwise, the packets returned by AR511 cannot contain Framed-IP-Netmask or Framed-IP-Address.

  3. The packet information obtained in Step 1 shows that the returned packet contains the Framed-IP-Netmask attribute. Run the following commands to prevent the AR511 from parsing the Framed-IP-Netmask attribute in the authorization packets returned by the server.

    <Huawei> system-view 
    [Huawei] radius-server template test1 
    [Huawei-radius-test1] radius-server attribute translate//Enable RADIUS attribute translation. 
    [Huawei-radius-test1] radius-attribute disable Framed-IP-Netmask receive//Disable the Framed-IP-Netmask attribute.

  4. Run the following command, and you can find that the user has gone online.

    <Huawei> display access-user user-id 1099 
    
    Basic: 
      User ID: 1099
      User name: test011
      Domain-name: 123
      User MAC: 4487-fc40-f05b
      User IP address: 13.13.13.250
      User access Interface: Wlan-Bss1
      QinQVlan/UserVlan: 0/100
      User access time: 2014/09/20 10:05:39
      User accounting session ID: Huawei000480000000066749df000017  User access type: WEB
      AP ID: 0
      AP name: ap-0
      Radio ID: 0
      AP MAC: 0a0b-0c00-0500
      SSID: huawei111
      Online time: 14(s)
      Web-server IP address: 192.168.100.62
    
    AAA:
     User authentication type: WEB authentication
     Current authentication method: RADIUS
     Current authorization method: - Current accounting method: RADIUS

    After the user enters the user name and password on the login page, the user can go online.

Root Cause

Generally, a RADIUS server connects to multiple network devices, which may from one vendor or different vendors. If some vendors' devices request the RADIUS server to deliver an attribute to support a specified feature but other vendors' devices do not support the delivered attribute, the RADIUS attribute may fail to be parsed.

Solution

When an AR router is connected to a third-party Portal server and users fail authentication, you need to obtain packet information to check whether the AR router supports all the attributes in the packets returned by the server. If not, modify the configurations on the AR router to ensure successful user authentication.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 447528

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next