Huawei S Series Campus Switches Troubleshooting Guide(V100 and V200)

Common Failures in External Portal Authentication Using the Portal Protocol

An Authentication Failure Is Displayed on the Portal Authentication Page
When the Device Connects to the Agile Controller server (AC1.0), an Authentication Success Page Is Displayed, but the Portal Authentication Page Is Displayed When the User Accesses the Network
The Authentication Success Page and Pushed Page Are Repeatedly Displayed
After a PC Is Successfully Authenticated, the User Closes the Authentication Page. After a Period of Time, the Portal Authentication Page Is Displayed Again When the PC Accesses the Web Page

An Authentication Failure Is Displayed on the Portal Authentication Page

The Device Does Not Receive Authentication Request Packets from the Portal Server

Use the service diagnosis function to trace the online authentication process of the STA. It is found that no challenge or authentication request is received.

[HUAWEI] trace object ip-address 10.0.0.64
[HUAWEI] trace enable

Collect debugging information. The same symptom occurs.

<HUAWEI> debugging web all
<HUAWEI> terminal debugging
<HUAWEI> terminal monitor
<HUAWEI> debugging timeout 0

When the device receives a Portal challenge request or authentication request, the following trace information is displayed:

[BTRACE][2019/01/05 15:23:50][9216][WEB_FC][10.1.0.197]:Receive challenge request packet from portal server.
[BTRACE][2019/01/05 15:23:50][9216][WEB_FC][10.1.0.197]:Receive authentication request packet from portal srever.

If the device does not receive any Portal challenge request or authentication request, perform the following steps:

Check whether the listening port of the device is changed. The default port number is 2000.

[HUAWEI] display web-auth-server configuration
 Listening port           : 2000
 Portal                     : version 1, version 2
 Include reply message   : enabled
 Source-IP                  : -

Query the process accessed by the STA based on the STA's MAC address, and then query the number of Portal packets in this process to check whether the count of Portal challenge request packets, authentication request packets, or error packets increases.

Query the process accessed by the STA based on the STA's MAC address.

[HUAWEI] diagnose
[HUAWEI-diagnose] display access-user | include 5cd9-98bc-034c
process  7:
--------------------------------------------------------------
UserID  Username       IP address    MAC                Status
--------------------------------------------------------------
16588   5cd998bc034c   10.0.0.64   5cd9-98bc-034c   Pre-authen
--------------------------------------------------------------
Total: 1, printed: 1

Query the number of Portal packets in this process.

[HUAWEI-diagnose] display web statistics packet process 7
process  7:
  Packet error Totol     :0
  Challenge req error    :0
  Auth req error         :0
  Recv auth req          :0
  Recv Challenge req     :0

If the count of challenge request packets, authentication request packets, and error packets is 0, the device does not receive packets from the Portal server.

Based on the preceding packet count statistics, you can determine whether the device has received packets from the Portal server. For further confirmation, you can obtain packet headers on the outbound interface connected to the Portal server.

The possible causes are as follows:

The Portal server cannot find the device. After a STA accesses the Portal server page and the user name and password are entered, the Portal server cannot identify the device from which the STA accesses the network based on the STA's IP address.
The possible causes for this are as follows:
- The IP address of the device is not added to the Portal server.
  Check whether the IP address of the device is added to the Portal server.
- When a STA accesses the authentication page of the Portal server, the Portal server needs to carry the IP address of the STA or device.
  In this case, configure URL parameters in the URL template as follows:
```
[HUAWEI] url-template name url_test
[HUAWEI-url-template-url_test] url-parameter device-ip ac-ip user-ipaddress userip
```
  The parameter ac-ip or user-ipaddress must be configured based on the requirements of the Portal server. For example, some Portal servers require that device-ip be set to wlanacip, and user-ipaddress be set to wlanuserip.
  
  By default, the value of device-ip carried by the device is the CAPWAP source IP address. If the IP address of the device added to the Portal server is not the CAPWAP source IP address, change the value of device-ip to an available IP address of the device as follows:
```
[HUAWEI] url-template name url_test
[HUAWEI-url-template-url_test] url-parameter set device-ip x.x.x.x
```
An exception occurs on the intermediate network. For example, the firewall shuts down the Portal port (2000 by default), or the route configuration is incorrect.
The destination port number sent by the Portal server is incorrect. By default, the destination port number of Portal packets is 2000, which is changed on the Portal server.

The Shared Key Configured in the Portal Server Template on the Device Is Different from That on the Portal Server

Use the service diagnosis function to trace the online authentication process of the STA. The Portal packet version is 2 and the message "The shared-key configured on the device must be the same as the one configured on the portal server." is displayed. It can be confirmed that the shared key configured in the Portal server template on the device is different from that configured on the server.

[HUAWEI] trace object ip-address 10.1.1.64
[HUAWEI] trace enable
[BTRACE][2020/11/26 10:03:22][7168][WEB][10.1.1.64]:Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 245
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 0
[BTRACE][2020/11/26 10:03:22][7168][WEB][10.1.1.64]:WEB receive packet from portal server successfully.
02 01 00 00 00 f5 00 00 c8 01 01 40 00 00 00 00
77 95 11 3a d4 82 10 86 51 ba 11 4e bb 30 a9 c6
[BTRACE][2020/11/26 10:03:22][7168][WEB][10.1.1.64]:[WEB Proc PS Msg] Server IP = 10.0.0.1, Server Vrf = 0
[BTRACE][2020/11/26 10:03:22][7168][WEB][10.1.1.64]:The shared-key configured on the device must be the same as the one configured on the portal server.

Configure the same shared key on the Portal server template and Portal server.

The Portal Version Supported by the Device Is Incompatible with the Server

Use the service diagnosis function to trace the online authentication process of the STA. The Portal packet version is 1 and the message "The shared-key configured on the device must be the same as the one configured on the portal server." is displayed. After the fault described in The Shared Key Configured in the Portal Server Template on the Device Is Different from That on the Portal Server is excluded, it can be determined that the device supports only the Portal protocol version v2, but the Portal server uses the Portal v1 to send Portal packets.

[HUAWEI] trace object ip-address 10.1.1.64
[HUAWEI] trace enable
[BTRACE][2020/11/26 10:13:07][7168][WEB][10.1.1.64]:Received packet from socket (length = 16 Vrf = 0):
Version         : 1
Type            : challenge request
Method          : chap
SerialNo        : 269
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 0
[BTRACE][2020/11/26 10:13:07][7168][WEB][10.1.1.64]:WEB receive packet from portal server successfully.
01 01 00 00 01 0d 00 00 c8 01 01 40 00 00 00 00
[BTRACE][2020/11/26 10:13:07][7168][WEB][10.1.1.64]:[WEB Proc PS Msg] Server IP = 10.0.0.1, Server Vrf = 0
[BTRACE][2020/11/26 10:13:07][7168][WEB][10.1.1.64]:The shared-key configured on the device must be the same as the one configured on the portal server.

Perform either of the following operations to rectify this fault:

Set the Portal protocol version supported by the device to v2 and v1.

[HUAWEI] web-auth-server version v2 v1

Restore the default Portal protocol version configuration (v2 and v1) of the device.

[HUAWEI] undo web-auth-server version

The server-ip Configured in the Portal Server Template Is Different From the Source IP Address of Portal Packets Received by the Device

Use the service diagnosis function to trace the online authentication process of the STA. The message "Failed to process packet for portal server,because server IP does not config.(serverIP=x.x.x.x)" is displayed, indicating that the source IP address of Portal packets received by the device is not in the server-ip list configured on the device.

[HUAWEI] trace object ip-address 10.1.1.64
[HUAWEI] trace enable
[BTRACE][2020/11/26 15:18:20][7168][WEB][10.1.1.64]:Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 313
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 0
[BTRACE][2020/11/26 15:18:20][7168][WEB][10.1.1.64]:WEB receive packet from portal server successfully.
02 01 00 00 01 39 00 00 c8 01 01 40 00 00 00 00
3a 00 8f c3 a3 db 1c 26 7c 29 4a f3 aa 59 27 1a
[BTRACE][2020/11/26 15:18:20][7168][WEB][10.1.1.64]:[WEB Proc PS Msg] Server IP = 10.0.0.1, Server Vrf = 0
[BTRACE][2020/11/26 15:18:20][7168][WEB][10.1.1.64]:Failed to process packet for portal server,because server IP does not config.(serverIP=10.0.0.1)

Check whether the actual IP address of the Portal server is the same as the source IP address of the received packets. If so, the server IP address specified on the device is incorrect. In this case, modify the server IP address in the Portal server template on the device.

If the actual IP address of the Portal server is different from the source IP address of the received packets, NAT may be deployed between the Portal server and the device, leading to a change of the source IP address of Portal packets. It is recommended that the NAT configuration between the device and Portal server be deleted. If the NAT configuration cannot be deleted, modify the server-ip configuration in the Portal server template on the device.

The Source IP Address of the Portal Packets Sent by the Device Is Different from the Device IP Address Added to the Portal Server

Use the service diagnosis function to trace the online authentication process of the STA. It is found that the device sends a challenge response packet after receiving a challenge request packet from the Portal server, but receives a challenge request packet from the Portal server again several seconds later.

[HUAWEI] trace object ip-address 10.1.1.64
[HUAWEI] trace enable
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 330
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 0
[BTRACE][2020/11/26 15:23:19][9216][WEB_FC][10.1.1.64]:Receive challenge request packet from portal server.
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:WEB receive packet from portal server successfully.
02 01 00 00 01 4a 00 00 c8 01 01 40 00 00 00 00
db 7c c2 38 22 83 63 21 5e 7a b5 24 dd ea 9f e1
[BTRACE][2020/11/26 15:23:19][9216][WEB_FC][10.1.1.64]:Send packet to NodeID(7168).(UserIP=3355509056)
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:[WEB Proc PS Msg] Server IP = 10.0.0.1, Server Vrf = 0
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:Receive challenge request packet from portal server.
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:Receive challenge request packet from portal server successfully.
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:Receive challenge request packet from portal server.[ReqID=31]
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:Send packet to socket (length = 50 Vrf = 0):
Version         : 2
Type            : challenge ack
Method          : chap
SerialNo        : 330
RequestID       : 2079
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 1
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:WEB send packet to portal server successfully.
02 02 00 00 01 4a 08 1f c8 01 01 40 00 00 00 01
73 80 d8 6b 16 f3 21 f3 1a 6c 5c 12 6c b1 60 1b
03 12 17 ec f7 d2 f9 03 01 a9 bb b3 4f 74 b3 9c
36 00
[BTRACE][2020/11/26 15:23:19][7168][WEB][10.1.1.64]:Send challenge ack packet to portal server.(Result:WEB_CHALLENGEACK_SUCCESS)
[BTRACE][2020/11/26 15:23:24][9216][WEB_FC][10.1.1.64]:Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 330
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 0
[BTRACE][2020/11/26 15:23:24][9216][WEB_FC][10.1.1.64]:WEB_FC receive packet from portal server successfully.
02 01 00 00 01 4a 00 00 c8 01 01 40 00 00 00 00
db 7c c2 38 22 83 63 21 5e 7a b5 24 dd ea 9f e1
[BTRACE][2020/11/26 15:23:24][9216][WEB_FC][10.1.1.64]:Receive challenge request packet from portal server.
[BTRACE][2020/11/26 15:23:24][9216][WEB_FC][10.1.1.64]:Send packet to NodeID(7168).(UserIP=3355509056)
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 330
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 0
AttributeNumber : 0
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:WEB receive packet from portal server successfully.
02 01 00 00 01 4a 00 00 c8 01 01 40 00 00 00 00
db 7c c2 38 22 83 63 21 5e 7a b5 24 dd ea 9f e1
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:[WEB Proc PS Msg] Server IP = 10.0.0.1, Server Vrf = 0
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:Receive challenge request packet from portal server.
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:Receive challenge request packet from portal server successfully.
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:User is in process.
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:Send challenge ack packet to portal server successfully.
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:Send packet to socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge ack
Method          : chap
SerialNo        : 330
RequestID       : 0
UserIP          : 10.1.1.64
ErrorCode       : 3
AttributeNumber : 0
[BTRACE][2020/11/26 15:23:24][7168][WEB][10.1.1.64]:WEB send packet to portal server successfully.
02 02 00 00 01 4a 00 00 c8 01 01 40 00 00 03 00
a2 39 fd 9a 09 a6 4e 73 80 e3 6f d3 ca 65 9d d8

The common cause for this problem is that the Portal server does not process the challenge response packet sent by the device because the source IP address of the challenge response packet is different from the device address configured on the Portal server. Ensure that the source IP address of Portal packets sent by the device is the same as the device IP address added to the Portal server.

You can run the corresponding command to configure the source IP address of Portal packets sent by the device. If the source IP address is not configured, the IP address of the outbound interface in the route is used. If the device IP address added to the Portal server is the same as the IP address of the outbound interface in the route, you do not need to configure the source IP address for communicating with the Portal server on the device. If they are not the same, run the corresponding command to configure the source IP address.

If the source IP address for communicating with the Portal server is not configured on the device, the IP address of the outbound interface in the route is used. Search the routing table for the outbound interface based on the IP address of the Portal server, and then determine the IP address based on the outbound interface.

[HUAWEI] display ip routing-table 10.0.0.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask   Proto   Pre  Cost  Flags NextHop    Interface
10.0.0.0/24   Direct  0    0      D   10.0.0.76  Vlanif12
[HUAWEI] interface Vlanif 12
[HUAWEI-Vlanif12] display this
#
interface Vlanif12
 ip address 10.0.0.76 255.255.255.0
#

The source IP address for the device to communicate with the Portal server can be configured globally or in a Portal server template. The source IP address configured in a Portal server template takes precedence over that configured globally.
If wireless configuration synchronization is enabled in a VRRP HSB scenario, you can configure the source IP address for communicating with the Portal server only in the system view. In a single-device scenario, you are advised to configure the source IP address in the Portal server template.
1. Query the source IP address configured on the device for communicating with the Portal server.
```
[HUAWEI] display web-auth-server configuration
 Listening port           : 2000
 Portal                   : version 1, version 2
 Include reply message    : enabled
 Source-IP                : -
[HUAWEI] display web-auth-server configuration
 Listening port           : 2000
 Portal                   : version 1, version 2
 Include reply message    : enabled
 Source-IP                : 10.2.1.1
```
  If Source-IP displays -, no source IP address is configured globally. If a specific IP address is displayed, the source IP address is configured globally.
1. Check whether the source IP address for communicating with the Portal server is configured in the Portal server template.
```
[HUAWEI] web-auth-server server_portal
[HUAWEI-web-auth-server-server_portal] display this
#
web-auth-server server_portal
 server-ip 10.0.0.1
 port 50100
 shared-key cipher xxxxxx
 url-template url_portal
 source-ip 10.2.1.1
#
```
  If source-ip x.x.x.x does not exist in the Portal server template, no source IP address is configured in the Portal server template.

NAT Is Deployed Between the STA and the Portal Server

Use the service diagnosis function (based on the STA's IP address) to trace the online authentication process of the STA, but no information is displayed. Run the debugging web all command. The command output shows that the device has received a request packet from the Portal server, but the IP address of the packet is not the actual IP address of the STA.

[HUAWEI] trace object ip-address user-ip-address
[HUAWEI] trace enable
Nov 27 2020 15:22:48.840.1+08:00 AC_8_76 WEB/7/DEBUG:Slot=0,Vcpu=6;
Received packet from socket (length = 32 Vrf = 0):
Version         : 2
Type            : challenge request
Method          : chap
SerialNo        : 639
RequestID       : 0
UserIP          : 10.0.0.76
ErrorCode       : 0
AttributeNumber : 0
[AC_8_76]
Nov 27 2020 15:22:48.840.2+08:00 AC6605_8_76 WEB/7/DEBUG:Slot=0,Vcpu=6;
02 01 00 00 02 7f 00 00 0c 0c 0c 4c 00 00 00 00
b4 1c 01 21 e0 10 db 11 d7 5b 98 cf 0d d2 3f 3a
[HUAWEI] display access-user
-----------------------------------------------------------------
UserID  Username         IP address     MAC                Status
----------------------------------------------------------------- 
16608   5cd998bc034c    10.1.1.64    5cd9-98bc-034c   Pre-authen
-----------------------------------------------------------------
Total: 1, printed: 1

The cause for this problem is the NAT configuration between the STA and Portal server. The source IP address of the HTTP request packet sent from the STA to the Portal server is the NAT-translated IP address. The Portal server cannot find STA information based on the IP address. As a result, the authentication fails. In this case, the STA's IP address parameter needs to be carried in the URL template.

[HUAWEI] url-templat name url_portal
[HUAWEI-url-template-url_portal] url-parameter user-ipaddress userip

The RADIUS Server Returns an Access-Reject Packet

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. The User online fail reason field displays Radius authentication reject.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32846
User login time         : 2020/10/19 14:53:22
User online fail reason : Radius authentication reject
Authen reply message    : ErrorReason is Incorrect user na...
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

Based on the service diagnosis function, trace the authentication process of the STA. It is found that the RADIUS server responds with an Access-Reject packet.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:
Received a authentication reject packet from radius server(server ip = 10.10.10.1).
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 10.10.10.1
Server Port : 1812
Protocol: Standard
Code    : 3
Len     : 176
ID      : 80
[EAP-Message                        ] [6 ] [04 22 00 04 ]
[State                              ] [16] [\001u?\237\372O]
[Reply-Message                      ] [116] [ErrorReason is Incorrect user name or password or Incorrect dataSource or Incorrect access device key.ErrCode:4101]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/19 14:53:23][6144][RADIUS][64e5-99f3-18f6]:Send authentication reject message to AAA.
[BTRACE][2020/10/19 14:53:23][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENREJECT message(51) from RADIUS module(235).

There are various causes for this problem, for example, the user name or password is incorrect, or the authorization policy fails to be matched. You can locate the root cause by checking server logs and adjust the server, terminal, or device configuration.

The RADIUS Server Does Not Respond

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. In the command output, User online fail reason displays The radius server is up but has no reply or The radius server is not reachable.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32861
User login time         : 2020/10/19 17:01:02
User online fail reason : The radius server is up but has no reply
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domain_test
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32865
User login time         : 2020/10/19 20:43:21
User online fail reason : The radius server is not reachable
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

Based on the service diagnosis function, trace the authentication process of the STA. It is found that the RADIUS server does not respond.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
CID:51  TemplateNo:4  SerialNo:62
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.10.10.1 Vrf:0
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:Radius server is up but no response.
[BTRACE][2020/10/19 17:01:03][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:8,reason is:Radius server is up but no response.
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_SERVERNOREPLY message(61) from RADIUS module(235).
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
CID:55  TemplateNo:4  SerialNo:69
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.10.10.1 Vrf:0
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:Radius authentication has no response.
[BTRACE][2020/10/19 20:43:22][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:7,reason is:Radius authentication has no response.

Troubleshoot the fault as follows:

Check whether the IP address of the device is correctly added to the RADIUS server.
If not, add the correct IP address of the device to the RADIUS server.
If the IP address of the device is correctly added to the RADIUS server, check whether the IP address of the device is the same as the source IP address of RADIUS authentication request packets sent by the device.
You can run the command to configure the source IP address of RADIUS authentication request packets sent by the device. If the source IP address is not configured using the command, the IP address of the outbound interface in the route is used. If the IP address of the device added to the RADIUS server is the same as the IP address of the outbound interface in the route, you do not need to configure the source IP address for communicating with the RADIUS server on the device. If they are not the same, run the command to configure the source IP address.
1. Search the routing table for the outbound interface based on the IP address of the RADIUS server, and then determine the IP address based on the outbound interface. If the IP address of the device added to the RADIUS server is the same as the IP address of the outbound interface in the route, you do not need to run the command to configure the source IP address for communicating with the RADIUS server.
```
[HUAWEI] display ip routing-table 10.10.10.1
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto  Pre Cost Flags NextHop     Interface
10.10.10.0/24     Direct 0   0     D     10.10.10.76   Vlanif12
[HUAWEI] interface Vlanif 12
[HUAWEI-Vlanif12] display this
#
interface Vlanif12
 ip address 10.10.10.76 255.255.255.0
#
```
2. If the IP address of the device added to the RADIUS server is different from the IP address of the outbound interface in the route, configure the source IP address for communicating with the RADIUS server on the device. The source IP address can be configured globally or in a RADIUS server template. The source IP address configured in a RADIUS server template takes precedence over that configured globally.
  If wireless configuration synchronization is enabled in a VRRP HSB scenario, you can configure the source IP address for communicating with the RADIUS server only in the system view. In a single-device scenario, you are advised to configure the source IP address in the RADIUS server template.
  
  Query the source IP address configured on the device for communicating with the RADIUS server.
  1. Check whether the source IP address for communicating with the RADIUS server is configured globally.
```
[HUAWEI] display radius-server configuration
------------------------------------------------------
Global:
 Radius Server Source IP Address           : -
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
------------------------------------------------------
[HUAWEI] display radius-server configuration
------------------------------------------------------
Global:
 Radius Server Source IP Address           : 10.1.1.1
 Radius Server Source IPv6 Address         : ::
 Radius Attribute Nas IP Address           : -
 Radius Attribute Nas IPv6 Address         : ::
------------------------------------------------------
```
    If Radius Server Source IP Address displays a hyphen (-), no source IP address is configured globally. If a specific IP address is displayed, the source IP address is configured globally.
  2. Check whether the source IP address for communication with the RADIUS server is configured in the RADIUS server template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] display this
#
radius-server template radius_test
 radius-server shared-key cipher %^%#x\[y<Fe^2Dee<5/L>B5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 10.10.10.1 1812 source ip-address 10.1.1.1 weight 80
 radius-server accounting 10.10.10.1 1813 source ip-address 10.1.1.1 weight 80
#
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] display this
#
radius-server template radius_test
 radius-server shared-key cipher %^%#x\[y<Fe^2Dee<5/L>B5Wd"!3GqH6,@[kW(Xi6PYA%^%#
 radius-server authentication 10.10.10.1 1812 source Vlanif 100 weight 80
 radius-server accounting 10.10.10.1 1813 source Vlanif 100 weight 80
```
    If source ip-address or source Vlanif is displayed next to the authentication or accounting server in the RADIUS server template, the source IP address is configured in the RADIUS server template.
  Configure the source IP address for communication with the RADIUS server.
  1. Configure the source address for communication with the RADIUS server in the system view.
```
[HUAWEI] radius-server source ip-address 10.1.1.1
```
  2. Configure the source IP address for communication with the RADIUS server in the RADIUS template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server authentication 10.10.10.1 1812 source ip-address 10.1.1.1
```
Check whether the link between the device and RADIUS server is normal.
1. Ping the server from the specified source IP address on the device to check whether the route is reachable.
```
[HUAWEI] ping -a 10.10.10.76 10.10.10.1
```
2. Obtain packet headers on the device and server to check whether authentication packets are sent and received normally. The common problem is that a firewall on the intermediate network does not permit RADIUS packets (default authentication port: 1812).

Check whether the RADIUS server status is normal. If STState does not display STState-up, the RADIUS server status is abnormal.

[HUAWEI] display radius-server item template radius_test
---------------------------------------------------------------
  STState    = STState-up
  STChgTime  = -
  Type       = auth-server
  State      = state-up
  AlarmFlag  = false
  STUseNum   = 1
  IPAddress  = 10.10.10.76
  AlarmTimer = 0xffffffff
  Head       = 10274
  Tail       = 10273
  ProbeID    = 255
 --------------------------------------------------------------

Check whether the shared key configured on the device is the same as that on the RADIUS server. You can run the test-aaa command and enable RADIUS debugging. If Authenticator error is displayed in the debugging information, the shared keys configured on the device and RADIUS server are inconsistent. In this case, change the shared keys on the device and RADIUS server to be the same.
```
[HUAWEI] test-aaa test test radius-template radius_test
[HUAWEI]
Oct 24 2020 15:57:49.591.1+08:00 AC6605_129_76 RDS/7/DEBUG:
RADIUS packet: IN (TotalLen=20)
Len 1 ~ 20:
02 08 00 14 F6 DA 06 57 40 25 32 2A A9 70 6E FD
46 F6 B1 25
[HUAWEI]
Oct 24 2020 15:57:49.591.2+08:00 AC6605_129_76 RDS/7/DEBUG:
[RDS(Err):] Receive a illegal packet(Authenticator error), please check share key config.(ip:10.10.10.1 port:1812)
```
You can configure a shared key for a specified RADIUS server in the system view or in the RADIUS server template view. The shared key configured in the system view takes precedence over that configured in the RADIUS server template view.

You are advised to configure the shared key in the RADIUS server template. If the shared key is configured in both the system and template, you are advised to delete the global configuration and retain only the configuration in the template.

Configure a shared key in the RADIUS server template.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server shared-key cipher huawei@123
```
Configure a shared key of the RADIUS server globally.
```
[HUAWEI] radius-server ip-address 10.10.10.1 shared-key cipher huawei@123
```

RADIUS Authorization Data Check Fails

Run the display aaa online-fail-record mac-address H-H-H command to check the STA's online failure records. In the command output, the User online fail reason field displays Authorization data error.

[HUAWEI] display aaa online-fail-record mac-address 64e5-99f3-18f6
----------------------------------------------------------------
User name               : test
Domain name             : domaintest
User MAC                : 64e5-99f3-18f6
User access type        : 802.1x
User access interface   : Wlan-Dbss17496
Qinq vlan/User vlan     : 0/200
User IP address         : -
User IPV6 address       : -
User ID                 : 32873
User login time         : 2020/10/24 16:32:34
User online fail reason : Authorization data error
Authen reply message    : -
User name to server     : test
AP ID                   : 0
Radio ID                : 0
AP MAC                  : 18de-d777-c120
SSID                    : dot1x_test
----------------------------------------------------------------

The RADIUS server grants related permissions (such as ACL), but the corresponding authorization content is not configured on the device (for example, the authorization ACL is not created). Alternatively, the RADIUS server has authorized a VLAN, but Portal authentication does not support VLAN authorization.

Based on the service diagnosis function, trace the authentication process of the STA and check authorization data delivered by the RADIUS server.

[HUAWEI] trace object mac-address 64e5-99f3-18f6
[HUAWEI] trace enable

Authorization ACL check failure

Received a authentication accept packet from radius server(server ip = 10.12.12.1).
[BTRACE][2020/10/24 16:52:19][6144][RADIUS][64e5-99f3-18f6]:
Server Template: 4
Server IP   : 10.12.12.1
Server Port : 1812
Protocol: Standard
Code    : 2
Len     : 182
ID      : 205
[Filter-Id                          ] [6 ] [3000]
[EAP-Message                        ] [6 ] [03 4c 00 04 ]
[State                              ] [16] [\001uY\314\321\003]
[MS-MPPE-Send-Key                   ] [52] [bd ce 7f 1d bf 78 33 d4 6c 45 d8 d0 1b f7 ee d2 02 16 7a ac fd 62 25 88 f7 84 7a 22 44 d8 01 8a 99 a3 33 66 7d 47 e9 a7 ed 88 d5 01 f8 62 4f 9d cd 56 ]
[MS-MPPE-Recv-Key                   ] [52] [bd ce 7f 54 6f 27 35 d1 01 5c f1 5e aa e8 27 91 c7 8b 89 2f 06 8f ac 46 13 5c 92 78 ec cf 39 aa dc bb f8 ff b1 b8 5c 42 6b f8 ca 80 76 b1 e8 35 c9 ed ]
[Message-Authenticator              ] [18] [00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ]
[BTRACE][2020/10/24 16:52:19][6144][RADIUS][64e5-99f3-18f6]:Send authentication reply message to AAA.
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
AAA receive AAA_RD_MSG_AUTHENACCEPT message(50) from RADIUS module(235).
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
CID:58  TemplateNo:4  SerialNo:75
SrcMsg:AAA_RD_MSG_AUTHENREQ
PriyServer::: Vrf:0
SendServer:10.12.12.1 Vrf:0
SessionTimeout:0 IdleTimeout:0
AcctInterimInterval:0 RemanentVolume:0
InputPeakRate:0 InputAverageRate:0
OutputPeakRate:0 OutputAverageRate:0
InputBasicRate:0 OutputBasicRate:0
InputPBS:0 OutputPBS:0
Priority:[0,0] DNS:[0.0.0.0, 0.0.0.0]
ServiceType:0 LoginService:0 AdminLevel:0 FramedProtocol:0
LoginIpHost:0 NextHop:0
EapLength:4 ReplyMessage:
TunnelType:0 MediumType:0 PrivateGroupID:
ACLID:3000
WlanReasonCode:0
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]AAA check radius authen ack, check acl error!
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:Radius authorization data error.
[BTRACE][2020/10/24 16:52:19][6144][AAA][64e5-99f3-18f6]:
[AAA ERROR]authen finish,the authen fail code is:16,reason is:Radius authorization data error.

Precautions for authorization ACL: In wireless scenarios, the authorization ACL ID ranges from 3000 to 3031, and the maximum value of rule id in the ACL is 64.

Troubleshoot the fault as follows:

Check whether the corresponding authorization is required.
- If authorization is required, create the corresponding authorization information on the device. For example, create the corresponding VLAN on the device for VLAN-based authorization, and create the corresponding ACL for ACL-based authorization and configure the corresponding rules in the ACL.
- If authorization is not required, you can modify the authorization policy on the RADIUS server to delete the corresponding authorization content. You can also run the following command to configure the device to ignore the corresponding authorization content:
  Ignore the authorization VLAN.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Tunnel-Private-Group-ID receive
```
  Ignore the authorization ACL.
```
[HUAWEI] radius-server template radius_test
[HUAWEI-radius-radius_test] radius-server attribute translate
[HUAWEI-radius-radius_test] radius-attribute disable Filter-Id receive
```

When the Device Connects to the Agile Controller server (AC1.0), an Authentication Success Page Is Displayed, but the Portal Authentication Page Is Displayed When the User Accesses the Network

When the device connects to the Agile Controller, the user enters the user name and password on the Portal authentication page and is successfully authenticated. However, when the user accesses another web page, the Portal authentication page is displayed again. Check the user status on the device. The user is still in Pre-authen state.

Click to enlarge

The Authentication Success Page and Pushed Page Are Repeatedly Displayed

When the device connects to the Agile Controller, the user enters the user name and password on the Portal authentication page and is successfully authenticated. The system automatically redirects the user to the pushed page, and then redirects the user to the authentication success page. This process repeats. Check the user status on the device. The user is still in Pre-authen state.

The cause for this problem is that the STA IP address list is not configured on the Agile Controller or the configured STA IP address list is inconsistent with the actual STA IP address, as shown in the following figure. This symptom occurs because the Agile Controller is configured to push a specified page after successful authentication.

After a PC Is Successfully Authenticated, the User Closes the Authentication Page. After a Period of Time, the Portal Authentication Page Is Displayed Again When the PC Accesses the Web Page

After a PC passes Portal authentication, the user closes the authentication page. After a period of time, the Portal authentication page is displayed again when the PC accesses the web page. Run the display aaa offline-record mac-address H-H-H command on the device to check the STA going-online and offline records. The displayed reason for the STA to go offline is Web user request.

[HUAWEI] display aaa offline-record mac-address 5cd9-98bc-034c
----------------------------------------------------------------
User name             : test
Domain name           : radius
User MAC              : 5cd9-98bc-034c
User access type      : Web
User access interface : Wlan-Dbss17498
Qinq vlan/User vlan   : 0/200
User IP address       : 10.1.1.64
User IPV6 address     : -
User ID               : 16614
User login time       : 2020/11/28 10:17:57
User offline time     : 2020/11/28 10:28:47
User offline reason   : Web user request
User name to server   : test
AP ID                 : 0
Radio ID              : 0
AP MAC                : 18de-d777-c120
SSID                  : portal_test
----------------------------------------------------------------

There is a high probability that this problem occurs because Wireless PC compatibility is not enabled in Session Timeout Interval of Wireless Terminal Web Authentication on the Agile Controller. To resolve this problem, enable Wireless PC compatibility in Session Timeout Interval of Wireless Terminal Web Authentication, as shown in the following figure.

Click to enlarge

An Authentication Failure Is Displayed on the Portal Authentication Page
When the Device Connects to the Agile Controller server (AC1.0), an Authentication Success Page Is Displayed, but the Portal Authentication Page Is Displayed When the User Accesses the Network
The Authentication Success Page and Pushed Page Are Repeatedly Displayed
After a PC Is Successfully Authenticated, the User Closes the Authentication Page. After a Period of Time, the Portal Authentication Page Is Displayed Again When the PC Accesses the Web Page

Translation

Favorite

Download

Update Date：2025-05-13

Document ID：EDOC1000091883

Downloads：15470

Average rating：4.27Points

Digital Signature File

digtal sigature tool