No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
How to Log In to WLAN ACs and APs
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How to Log In to WLAN ACs and APs

How to Log In to WLAN ACs and APs

Introduction

This document describes how to log in to Huawei ACs and APs.

Table 1-1 lists common scenarios where you need to log in to ACs and APs.

Table 1-1 Common AC and AP login scenarios

WLAN Device

Mode Switching upon Deployment

Service Configuration

Routine O&M

Fault Diagnosis

AC

-

Fit AP

×

×

×

Fat AP

Cloud AP

×

×

The user name and password may be required during the login. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it. If you forget the password, take measures by referring to the Troubleshooting WLAN Password Issues.

Internet Explorer, Firefox, or Chrome of the latest version is recommended for you to log in to the device using the web system. If a browser of an earlier version is used, the web page may not be properly displayed.

Logging In to an AC

Learning About AC Login Modes

You can log in to an AC through a network port or console port.

Table 1-2 AC login modes

Physical Connection Mode

Login Mode

Description

Applicable Models and Versions

Network port

CLI

Connect a PC to a network port on the AC through an Ethernet cable, and log in to the AC through STelnet or Telnet using a command line tool.

All models and versions

Web

Connect a PC to a network port on the AC through an Ethernet cable, and log in to the AC using a web browser.

All models and versions

Web (redirection login)

Log in to an online cloud AC from iMaster NCE-Campus.

All models running V200R010 or later

Console port

CLI

Connect a PC to the console port on the AC through a serial cable, and log in to the AC using a command line tool.

All models and versions

The STelnet service (port 22) and HTTPS service (port 443) are enabled on the AC before delivery. You can log in to the network port on the AC using an STelnet command line tool or web browser. In most cases, you are advised to log in to the AC through a network port to perform service configuration and O&M. If you cannot log in to the AC through a network port due to a network fault or you need to enter the BIOS menu to locate the fault during the device startup, you can log in to the AC through the console port.

Logging In to the AC Through a Network Port

Logging In to an AC Directly Through a Network Port

Applicable Scope

Applicable model: all AC models

Applicable version: all V200 versions

Recommended scenario: service configuration and O&M

Background

Some AC models have an independent management network port (as listed in Table 1-3), which allows you to log in to the AC. If an AC does not have a management network port, you can log in to the AC through a service network port. By default, the IP address of an AC is 169.254.1.1. If its IP address has been changed, use the actual IP address to log in.

Table 1-3 Management network port on an AC

Appearance of the Management Network Port

Management Network Port Silkscreen

ETH

ETH

ETH

The AC6800V runs on the hardware of a FusionServer 2288H V5 server. Its management network port is used to log in to the iBMC for underlying software and hardware management. To log in to the AC6800V to manage WLAN services, connect a PC to a service network port of the AC6800V.

By default, management plane isolation is enabled on an AC with a management network port to improve security. You can log in to the AC only through the management network port. To log in to the AC through a service network port, log in to the AC through the console port or management network port and run the mgmt isolate disable command to disable management plane isolation.

Cable Connection

Connect a PC to a network port on the AC through an Ethernet cable.

Connection Mode

Connection Diagram

The PC is directly connected to the management network port on the AC.

The PC is directly connected to a service network port on the AC.

The PC is connected to the AC through a switch.

Procedure (CLI)

From V200R005C00, the Telnet service is disabled on an AC by default because Telnet may bring security risks. To log in to the AC using Telnet, log in to the AC in another mode first and run the telnet [ ipv6 ] server enable command to enable the Telnet service.

  1. Connect a PC to a network port on the AC through an Ethernet cable.
  2. On the PC, set the IP address of the network adapter to be in the same network segment as the IP address of the AC, for example, 169.254.1.100/24. Ensure that the PC can ping the IP address of the AC.

    C:\>ping 169.254.1.1      //Ping the IP address of the AC.

Pinging 169.254.1.1 with 32 bytes of data:
Reply from 169.254.1.1: bytes=32 time=1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 169.254.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, rectify the fault by referring to Login Failure Due to Network Disconnection or replace the Ethernet cable.

  3. Open a command line tool (PuTTY as an example), set the connection type to SSH, enter the IP address of the AC, and click Open.

    If a security certificate alert is displayed, click Y.

  4. Verify the login as prompted and press Enter.

    login as: admin      //Enter the user name.

admin@169.254.1.1's password:      //Enter the password.

<AC>
    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Procedure (Web)
  1. Connect a PC to a network port on the AC through an Ethernet cable.
  2. On the PC, set the IP address of the network adapter to be in the same network segment as the IP address of the AC, for example, 169.254.1.100/24. Ensure that the PC can ping the IP address of the AC.

    C:\>ping 169.254.1.1      //Ping the IP address of the AC.

Pinging 169.254.1.1 with 32 bytes of data:
Reply from 169.254.1.1: bytes=32 time=1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 169.254.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, rectify the fault by referring to Login Failure Due to Network Disconnection or replace the Ethernet cable.

  3. Visit 169.254.1.1 using a web browser on the PC.

    If a security certificate alert is displayed, ignore it and continue the access.

  4. Select a language, enter the user name and password, and click Login.

    The following figure shows the web system login page, which may slightly vary depending on actual scenarios.

    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Logging In to a Cloud AC from iMaster NCE-Campus

Applicable Scope

Applicable model: all AC models

Applicable version: V200R010C00 or later

Recommended scenario: service configuration and O&M

Background

You can log in to the web system of an online cloud AC from iMaster NCE-Campus.

Cable Connection

Procedure
  1. Log in to iMaster NCE-Campus as a tenant administrator.
  2. Choose Design > Site Design > Device Management, click the cloud AC name, and then click Device Configuration in the upper right corner.

    If the browser displays a message indicating that pop-ups have been blocked, click on the right of the address box to allow pop-ups and try again.

  3. In the displayed dialog box, log in to the AC as an administrator.

    If a security certificate alert is displayed, ignore it and continue the access.

Logging In to the AC Through the Console Port

Applicable Scope

Applicable model: all AC models

Applicable version: all V200 versions

Recommended scenario: failure to log in through a network port, and access to the BIOS menu

Background

If you cannot log in to the AC through a network port due to a network fault or you need to enter the BIOS menu to locate the fault during the device startup, you can log in to the AC through the console port.

Table 1-4 shows the console port silkscreens on ACs.
Table 1-4 Console ports on ACs

Console Port Appearance

Console Port Silkscreen

CONSOLE

CONSOLE

IOIOI

CON

CONSOLE

Cable Connection

Connect a PC to the console port on the device using a serial cable. If the PC does not have a DB9 port, prepare a USB adapter cable.

Procedure

  1. Connect a PC to the console port on the AC using a serial cable.
  2. Open a command line tool (PuTTY as an example), set the connection type to Serial, set Serial line to COM1, and click Open.

    The PC may have multiple connection ports. Set Serial line to the port to which the console cable is connected. In most cases, the port COM1 is used. Ensure that the COM port supports Serial Port and is identified in the device manager.

    Generally, the default baud rate (Speed) is retained. When you log in to the AC6800V through the console port, set the baud rate to 115200.

  3. Complete the login authentication as prompted and enter the CLI view.

    • If the device has started up, enter authentication information as prompted and press Enter.

      For V200R019C00 or earlier, enter the device login password. For V200R019C10 or later, enter the user name and password. You must change the password upon your first login.

      Username:admin      //Enter the user name.
Password:           //Enter the password.
Info: Current mode: Monitor (automatically making switching decisions).
  ----------------------------------------------------------------------------- 
  User last login information:
  -----------------------------------------------------------------------------
  Access Type: Serial
  IP-Address : --
  Time       : 2021-03-02 19:31:18+00:00
  -----------------------------------------------------------------------------
<AC>
    • To enter the BIOS menu of the AC, restart the device, press Ctrl+B when prompted, and enter the BIOS password.
      Press CTRL+B to enter BIOS menu:  1

Password:      //Enter the BIOS password.

Info: You are advised to change the password to ensure security.

//The menu content varies according to the actual situation.
        BIOS Menu (Version: 072)

     1. Boot with default mode
     2. Enter serial submenu
     3. Enter startup submenu
     4. Enter ethernet submenu
     5. Enter file system submenu
     6. Modify BOOTROM password
     7. Clear password for console user
     8. Config HigMem to Flash Flag
     9. Reboot
     (Press CTRL+E to enter Diag menu)

Enter your choice(1-9):      //Enter a number to access the corresponding menu.

      To prevent service data loss caused by misoperations, do not modify the configuration in the BIOS menu unless you fully understand the functions and operation impacts of each menu item. If necessary, use the BIOS menu under the guidance of technical support personnel.

Logging In to an AP

Learning About AP Login Modes

You can log in to an AP through a network port. In addition, you can log in to an AP through the management SSID or Bluetooth serial port because the AP supports short-range wireless communication.

Some early AP models provide console ports and allow for login using serial cables.

Table 1-5 AP login modes

Physical Connection Mode

Login Mode

Description

Applicable Models and Versions

Network port

CLI

Connect a PC to a network port on an AP through an Ethernet cable, and log in to the AP through STelnet or Telnet using a command line tool.

All models and versions

Web

Connect a PC to a network port on an AP through an Ethernet cable, and log in to the AP using a web browser.

Fat mode and cloud mode: all Fat and cloud AP models

Fit mode: V200R019C10 or later

CLI (redirection login)

In the AC + Fit AP scenario, you can log in to an online Fit AP from the AC. In the cloud AP scenario, you can log in to an online cloud AP from iMaster NCE-Campus.

All models and versions

Management SSID

CLI

Associate a laptop with the management SSID of an AP, and log in to the AP through STelnet or Telnet using a command line tool.

All models and versions

Web

Associate a laptop with the management SSID of an AP, and log in to the AP using a web browser.

Fat mode and cloud mode: all Fat and cloud AP models

Fit mode: V200R019C10 or later

Bluetooth serial port

CLI

Enable the Bluetooth function on a smartphone and use the Bluetooth serial port tool on the CloudCampus APP to log in to an AP.

All models running V200R019C00 or later that support the Bluetooth function

Console port

CLI

Connect a PC to the console port on an AP through a serial cable, and log in to the AP in serial mode using a command line tool.

All models that provide the console port

Table 1-6 lists the common login modes in different scenarios.

Table 1-6 Recommended login modes in different project phases

Networking Model

Project Phase

Recommended Login Mode

Description

AC + Fit AP

Service configuration

N/A

An AP works in Fit mode before delivery. WLAN services are configured on the AC. Generally, you do not need to log in to the AP.

Routine O&M

N/A

AP O&M can be performed on the AC, without having to log in to the AP.

Fault rectification

Logging In to a Fit AP from the AC

When an AP goes offline, you are advised to check the reason on the AC. To log in to the AP locally, you are advised to perform the following operations in sequence:

  1. Logging In to an AP Directly Through a Network Port
  2. Logging In to an AP Through the Management SSID
  3. Logging In to an AP Through the Bluetooth Serial Port or Logging In to an AP Through the Console Port

Fat AP

Mode switching

Any mode

An AP works in Fit mode before delivery. You can log in to the AP in any mode and then switch to the Fat mode.

Service configuration

Logging In to an AP Through a Network Port

Logging In to an AP Through the Management SSID

Use either of the two login modes.

Routine O&M

Logging In to an AP Through a Network Port

Logging In to an AP Through the Management SSID

Use either of the two login modes.

Fault rectification

Logging In to an AP Through a Network Port

Logging In to an AP Through the Management SSID

If you cannot log in to an AP in either of the two modes, log in through the Bluetooth serial port or console port to rectify the fault.

Cloud AP

Mode switching

Any mode

An AP works in Fit mode before delivery. The DHCP server or registration query center is recommended for switching APs to the cloud mode and configure AP provisioning parameters. In this case, you do not need to log in to the APs.

Service configuration

N/A

You configure cloud AP services on iMaster NCE-Campus, without having to log in to the APs.

Routine O&M

N/A

AP O&M can be performed on iMaster NCE-Campus, without having to log in to the APs. If necessary, you can log in to the AP from iMaster NCE-Campus.

Fault rectification

Logging In to a Cloud AP from iMaster NCE-Campus

If the network port on an AP cannot be connected, you are advised to perform the following operations in sequence:

  1. Logging In to an AP Through the Management SSID
  2. Logging In to an AP Through the Bluetooth Serial Port or Logging In to an AP Through the Console Port
  • The STelnet service (port 22) and HTTPS service (port 443) are enabled on APs before delivery. You can log in to the network port on an AP through STelnet using a command line tool or web browser.
  • The Telnet protocol may bring security risks and is disabled on APs by default. To log in to an AP using Telnet, enable the Telnet service on the AP first. (For Fat APs and cloud APs, run the telnet server enable command. For Fit APs, run the telnet enable command in the AP system view on the AC.)
  • The central AP does not have radio capabilities and therefore allows for the login only through a network port or the console port.
  • In the central AP + RU networking, you can log in to an RU from the central AP. The operations are similar to those for logging in to a Fit AP from the AC in the AC + Fit AP networking.
  • In the leader AP + Fit AP networking, you can log in to a Fit AP from the leader AP. The operations are similar to those for logging in to a Fit AP from the AC in the AC + Fit AP networking.

Logging In to an AP Through a Network Port

Logging In to an AP Directly Through a Network Port

Applicable Scope

Applicable model: all AP models

Applicable AP mode: Fit, Fat, and cloud

Applicable version: all versions

Recommended scenario: service configuration and O&M

Background

By default, the IP address 169.254.1.1 is configured for VLANIF 1 on an AP before delivery, and all network ports on the AP are added to VLAN 1. You can log in to an AP from a PC through a network port. If the IP address of an AP is changed, use the actual IP address of the AP to log in.

The default IP address of an RU is 169.254.1.2, allowing you to log in through a network port.

Cable Connection

Connect a PC to an AP based on the actual power supply mode of the AP.

AP Power Supply and Cable Connection Mode

Connection Diagram

The AP is powered by a DC adapter. The PC is directly connected to a network port on the AP.

The AP is powered by a PoE adapter. The PC is directly connected to the PoE adapter.

The AP is powered by a PoE switch. The PC is directly connected to the switch.

Procedure (CLI)
  1. Connect a PC to a network port on an AP through an Ethernet cable.
  2. On the PC, set the IP address of the network adapter to be in the same network segment as the IP address of the AP, for example, 169.254.1.100/24. Ensure that the PC can ping the IP address of the AP.

    C:\>ping 169.254.1.1      //Ping the IP address of the AP.

Pinging 169.254.1.1 with 32 bytes of data:
Reply from 169.254.1.1: bytes=32 time=1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128
Reply from 169.254.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 169.254.1.1:
   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, check whether the PC's IP address is correctly set or replace the Ethernet cable.

  3. Open a command line tool (PuTTY as an example), set the connection type to SSH, enter the IP address of the AP, and click Open.

  4. Enter the user name and password, and press Enter.

    login as: admin      //Enter the user name.

admin@169.254.1.1's password:      //Enter the password.

<AP>
    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Procedure (Web)
  1. Connect a PC to a network port on an AP through an Ethernet cable.
  2. Visit 169.254.1.1 using a web browser on the PC.

    If a security certificate alert is displayed, ignore it and continue the access.

  3. Select a language, enter the user name and password, and click Login.

    The following figure shows the web system login page, which may slightly vary depending on actual scenarios.

    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Logging In to a Fit AP from the AC

Applicable Scope

Applicable model: all AP models

Applicable AP mode: Fit

Applicable version: all versions

Recommended scenario: fault diagnosis

Background

To collect logs on a Fit AP during service commissioning, you can log in to the AP CLI from the AC as long as the AP is online.

Cable Connection

Log in to the AC from a PC through an Ethernet cable. Log in to the online Fit AP from the AC.

Procedure
  1. Check the online status, AP name, and AP ID of the AP on the AC.

    <AC> display ap all
...
------------------------------------------------------------------------------------------------------------------------------
ID    MAC            Name           Group    IP              Type                 State  STA  Uptime         ExtraInfo
------------------------------------------------------------------------------------------------------------------------------
...
3     00e0-fcbc-f020 ap-003        default  192.168.166.226 AirEngine8760-X1-PRO nor    40   8D:3H:57M:37S  -
...

    The command output shows that the AP with the MAC address 00E0-FCBC-F020 is online (state: nor), its ID is 3, and its name is ap-003.

  2. Enter the system view on the AC and log in to the Fit AP based on the AP ID.

    <AC> system-view      //Enter the system view.
[AC] stelnet ap ap-id 3      //Log in to the Fit AP using STelnet. The command format is stelnet ap { ap-name ap-name | ap-id ap-id }.
Trying 192.168.166.226 ...
Press CTRL+K to abort
Connected to 192.168.166.226 ...
The server is not authenticated. Continue to access it? [Y/N]:y      //Enter Y.
Save the server's public key? [Y/N]:y      //Enter Y.
The server's public key will be saved with the name 192.168.166.226. Please wait
...
Info: Failed to save the server's public key, because the number of public keys
reached the upper limit (20).
Info: Current mode: Fit (managed by the AC).
  -----------------------------------------------------------------------------

  User last login information:
  -----------------------------------------------------------------------------
  Access Type: SSH
  IP-Address : 192.168.164.64
  Time       : 2021-04-14 14:20:59+08:00
  -----------------------------------------------------------------------------
<ap-003>      //Login successful. The Fit AP user view is displayed.

Logging In to a Cloud AP from iMaster NCE-Campus

Applicable Scope

Applicable model: all cloud AP models

Applicable AP mode: cloud

Applicable version: all versions that support the cloud mode

Recommended scenario: fault diagnosis

Background

You can log in to the CLI of an online cloud AP from iMaster NCE-Campus.

Cable Connection

Procedure
  1. Log in to iMaster NCE-Campus as a tenant administrator.
  2. Choose Design > Site Design > Device Management, click the cloud AP name, and then click Command Line in the upper right corner.

    If the browser blocks pop-ups, click in the right of the address box to allow pop-ups on this page and try again.

    If the following information is displayed, you have successfully logged in to the cloud AP.

    Connecting...

Info: Current mode: Cloud (managed on the Huawei cloud management platform).
Warning: The required power supply mode for the device is 802.3BT90.                
The current power supply is insufficient (Limited), and some functions are limited.
  -----------------------------------------------------------------------------     
  User last login information:     
  -----------------------------------------------------------------------------
  Access Type: SSH      
  IP-Address : 172.16.3.100     
  Time       : 2021-04-15 10:15:12+08:00     
  -----------------------------------------------------------------------------
<AP>

Logging In to an AP Through the Management SSID

Logging In to a Fit AP Through the Management SSID

Applicable Scope

Applicable model: all AP models (except the central AP)

Applicable AP mode: Fit

Applicable version: V200R007C10 or later

Recommended scenario: manual AP mode switching upon the first login and Fit AP fault diagnosis

Background

APs are usually installed at heights to ensure good coverage. If you cannot log in to an AP through a network port due to a fault, associate a laptop with the management SSID and log in to the AP.

The laptop can be associated with the management SSID only within the coverage area of the AP. Therefore, this method is used to log in to the AP to restore services and locate faults when the AP is offline and cannot be logged in through a network port. An AP works in Fit mode before delivery. When a new AP works in Fat or cloud mode, you can log in to the AP through the management SSID to switch its working mode.

  • From V200R007C10, the management SSID is enabled by default after a Fit AP is powered on. After the AP goes online on the AC, the management SSID is disabled and will not be automatically enabled after the AP goes offline.
  • From V200R009C00, the management SSID is automatically enabled after a Fit AP goes offline from the AC.
Table 1-7 Default parameter settings of a Fit AP

Name of the Management SSID

hw_manage_xxxx

xxxx indicates the last 4 digits of the AP's MAC address.

IP Address

AirEngine series: 169.254.2.1

SOHO series:

  • V200R021C10 and later versions: 192.168.254.254
  • V200R007C10 to V200R021C01: 169.254.2.1

Subnet Mask

255.255.255.0
Cable Connection

Procedure (CLI)
  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. Configure an IP address on the laptop.

    Product

    Version

    IP Address Configuration Method

    AirEngine series AP

    V200R021C01 or later

    The laptop can automatically obtain an IP address from the AP.

    V200R019C10 to V200R021C00

    Manually configure an IP address for the wireless network adapter in the same network segment as that of the AP, for example, 169.254.2.100/24.

    SOHO series AP

    V200R021C10 or later

    The DHCP server on the upstream network of the AP assigns an IP address to the laptop. No manual configuration is required.

    V200R021C01

    The laptop can automatically obtain an IP address from the AP.

    Other APs

    (including the AirEngine 5760-10)

    V200R007C10 to V200R019C00

    Manually configure an IP address for the wireless network adapter in the same network segment as that of the AP, for example, 169.254.2.100/24.

  3. Associate the laptop with the management SSID of the target AP.

    A password is required for associating with this SSID. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

  4. Ensure that the laptop can ping the IP address of the AP.

    The following uses 169.254.2.1 as an example.

    C:\>ping 169.254.2.1      //Ping the IP address of the AP.

Pinging 169.254.2.1 with 32 bytes of data:
Reply from 169.254.2.1: bytes=32 time=1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128

Ping statistics for 169.254.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds:
   Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, check whether the IP address of the laptop is correctly configured.

  5. Open a command line tool (PuTTY as an example), set the connection type to SSH, enter the IP address of the AP, and click Open.

  6. Enter the user name and password, and press Enter.

    login as: admin      //Enter the user name.

admin@169.254.2.1's password:      //Enter the password.

<AP>
    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Procedure (Web)
  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. Configure an IP address on the laptop.

    Product

    Version

    IP Address Configuration Method

    AirEngine series AP

    V200R021C01 or later

    The laptop can automatically obtain an IP address from the AP.

    V200R019C10 to V200R021C00

    Manually configure an IP address for the wireless network adapter in the same network segment as that of the AP, for example, 169.254.2.100/24.

    SOHO series AP

    V200R021C10 or later

    The DHCP server on the upstream network of the AP assigns an IP address to the laptop. No manual configuration is required.

    V200R021C01

    The laptop can automatically obtain an IP address from the AP.

    Other APs

    (including the AirEngine 5760-10)

    V200R007C10 to V200R019C00

    Manually configure an IP address for the wireless network adapter in the same network segment as that of the AP, for example, 169.254.2.100/24.

  3. Associate the laptop with the management SSID of the target AP.

    A password is required for associating with this SSID. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

  4. Visit the AP's IP address using a web browser on the laptop.

    If a security certificate alert is displayed, ignore it and continue the access.

  5. Select a language, enter the user name and password, and click Login.

    The following figure shows the web system login page, which may slightly vary depending on actual scenarios.

    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Logging In to a Fat AP Through the Management SSID

Applicable Scope

Applicable model: all AP models (except the central AP)

Applicable AP mode: Fat

Applicable version: V200R008C10 or later

Recommended scenario: service configuration and O&M for Fat APs

Background

APs are usually installed at heights to ensure good coverage. If you cannot log in to an AP through a network port due to a fault, associate a laptop with the management SSID and log in to the AP.

From V200R008C10, the management SSID is enabled by default after a Fat AP is powered on. After associating a laptop with the management SSID, you can log in to the Fat AP through the CLI or web system.

Table 1-8 Default parameter settings of a Fat AP

Name of the Management SSID

V200R019C00 or earlier: HUAWEI-xxxx

V200R019C10 or later: HUAWEI-LeaderAP-xxxx

xxxx indicates the last 4 digits of the AP's MAC address.

IP Address

V200R021C00 and earlier versions: 192.168.1.1

V200R021C01 and later versions: 169.254.2.1

Subnet Mask

255.255.255.0
Cable Connection

Procedure (CLI)
  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. On a laptop, configure DHCP IP address allocation for the wireless network adapter.

    By default, DHCP IP address allocation is used by a wireless network adapter to obtain an IP address.

  3. Associate the laptop with the management SSID of the target AP.

    No password is required for associating with this SSID.

  4. Ensure that the laptop can ping the IP address of the AP.

    The following uses 192.168.1.1 as an example.

    C:\>ping 192.168.1.1      //Ping the IP address of the AP.

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds: 
   Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, check whether the laptop obtains an IP address in the 192.168.1.x network segment.

  5. Open a command line tool (PuTTY as an example), set the connection type to SSH, enter the IP address of the AP, and click Open.

  6. Enter the user name and password, and press Enter.

    login as: admin      //Enter the user name.

admin@192.168.1.1's password:      //Enter the password.

<AP>
    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Procedure (Web)
  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. On a laptop, configure DHCP IP address allocation for the wireless network adapter.

    By default, DHCP IP address allocation is used by a wireless network adapter to obtain an IP address.

  3. Associate the laptop with the management SSID of the target AP.

    No password is required for associating with this SSID.

  4. Ensure that the laptop can ping the IP address of the AP.

    The following uses 192.168.1.1 as an example.

    C:\>ping 192.168.1.1      //Ping the IP address of the AP.

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds: 
   Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, check whether the laptop obtains an IP address in the 192.168.1.x network segment.

  5. Visit the AP's IP address using a web browser on the laptop.

    If a security certificate alert is displayed, ignore it and continue the access.

  6. Select a language, enter the user name and password, and click Login.

    The following figure shows the web system login page, which may slightly vary depending on actual scenarios.

    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Logging In to a Cloud AP Through the Management SSID

Applicable Scope

Applicable model: all AP models (except the central AP)

Applicable AP mode: cloud

Applicable version: V200R007C20 or later

Recommended scenario: troubleshooting for unexpected disconnection issues of cloud APs

Background

APs are usually installed at heights to ensure good coverage. If you cannot log in to an AP through a network port due to a fault, associate a laptop with the management SSID and log in to the AP.

From V200R007C20, the management SSID is enabled by default after a cloud AP is powered on. After associating a laptop with the management SSID near the AP, you can log in to the AP for management.

The laptop can be associated with the management SSID only within the coverage area of the AP. Therefore, this method is used to log in to the AP to restore services and locate faults when the AP is offline and cannot be logged in through a network port.

Table 1-9 Default parameter settings of a cloud AP

Name of the Management SSID

hw_manage_xxxx

xxxx indicates the last 4 digits of the AP's MAC address.

IP Address

169.254.2.1

Subnet Mask

255.255.255.0
Cable Connection

Procedure (CLI)
  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. On a laptop, set the IP address of the wireless network adapter to be in the 169.254.2.x network segment, for example, 169.254.2.100/24.
  3. Associate the laptop with the management SSID of the target AP.

    A password is required for associating with this SSID. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

  4. Ensure that the laptop can ping the IP address of the AP.

    C:\>ping 169.254.2.1      //Ping the IP address of the AP.

Pinging 169.254.2.1 with 32 bytes of data:
Reply from 169.254.2.1: bytes=32 time=1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128

Ping statistics for 169.254.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds: 
   Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, check whether the IP address of the laptop is correctly configured.

  5. Open a command line tool (PuTTY as an example), set the connection type to SSH, enter the IP address of the AP, and click Open.

  6. Enter the user name and password, and press Enter.

    login as: admin      //Enter the user name.

admin@169.254.2.1's password:      //Enter the password.

<Huawei>
    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

    After the login is successful, the user view is displayed by default. To enter the system view, run the system-view command.

    <Huawei> system-view
[Huawei]

Procedure (Web)
  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. On a laptop, set the IP address of the wireless network adapter to be in the 169.254.2.x network segment, for example, 169.254.2.100/24.
  3. Associate the laptop with the management SSID of the target AP.

    A password is required for associating with this SSID. The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

  4. Ensure that the laptop can ping the IP address of the AP.

    C:\>ping 169.254.2.1      //Ping the IP address of the AP.

Pinging 169.254.2.1 with 32 bytes of data:
Reply from 169.254.2.1: bytes=32 time=1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128
Reply from 169.254.2.1: bytes=32 time<1ms TTL=128

Ping statistics for 169.254.2.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss);
Approximate round trip times in milli-seconds: 
   Minimum = 0ms, Maximum = 1ms, Average = 0ms

    If the ping operation fails, check whether the IP address of the laptop is correctly configured.

  5. Visit the AP's IP address using a web browser on the laptop.

    If a security certificate alert is displayed, ignore it and continue the access.

  6. Select a language, enter the user name and password, and click Login.

    The following figure shows the web system login page, which may slightly vary depending on actual scenarios.

    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Logging In to an AP Through the Bluetooth Serial Port

Applicable Scope

Applicable model: all AP models that support the Bluetooth function

Applicable AP mode: Fit, Fat, and cloud

Applicable version: V200R019C00 or later

Recommended scenario: failure to log in through a network port or the management SSID, and access to the BIOS menu

Background

APs are usually installed at heights to ensure good coverage. If you cannot log in to an AP through a network port or the management SSID due to a fault, use the CloudCampus APP to log in to the AP through the Bluetooth serial port near the AP to restore services.

Use a smartphone to scan the following QR code to download and install the CloudCampus APP.

Cable Connection

Procedure

  1. Check the MAC address of the target AP.

    To obtain the MAC address of the target AP, see FAQ: How Can I Obtain the MAC Address of an AP?.

  2. Start the CloudCampus APP. Choose Tool > Bluetooth Serial Port.

    If any application requests to enable Bluetooth, touch ALLOW.

  3. In the AP list, locate the target AP based on the last 4 digits of the AP's MAC address (F020 as an example here). Touch Connect.

    If the system prompts you to enter the pairing code, enter 123456.

  4. When Successful connection is displayed, the smartphone has been associated with the AP successfully. Touch Enter. Enter the user name and password as prompted. The CLI screen is displayed.

    • In V200R020C10 and earlier versions, to ensure system security, change the password immediately after you use the default account to log in to the system for the first time.

      The default username and password are available in WLAN Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.

    • In V200R021C00 and later versions, there is no default account. Upon the first login, you need to create an account as prompted.

Logging In to an AP Through the Console Port

Applicable Scope

Applicable model: all AP models that provide the console port

Applicable AP mode: Fit, Fat, and cloud

Applicable version: all versions

Background

If you cannot log in to an AP through a network port after the AP is powered on, you can log in through the console port to rectify faults and restore services.

Figure 1-1 shows the console port silkscreen on an AP.
Figure 1-1 Console port on an AP

Cable Connection

Procedure

  1. Connect a PC to the console port on an AP using a serial cable.
  2. Open a command line tool (PuTTY as an example), set the connection type to Serial, set Serial line to COM1, and click Open.

    The PC may have multiple connection ports. Set Serial line to the port to which the console cable is connected. In most cases, the port COM1 is used. Ensure that the COM port supports Serial Port and is identified in the device manager.

  3. Complete the login authentication as prompted and enter the CLI view.

    • If the device has started up, enter authentication information as prompted and press Enter.

      To ensure system security, change the password as prompted upon the first login.

      Login authentication

Username:admin      //Enter the user name.
Password:           //Enter the password.
Info: Change the password to ensure security.

      To log in to an AP running an earlier version through the console port for the first time, you need to set a login password and then use the new password to log in to the AP.

      Please configure the login password:           //Enter the password.
Info: A plain text password is a string of 8 to 16 case-sensitive characters and must be a combination of at least two of the following: uppercase letters A to Z, lowercase letters a to z, digits, and special characters. A cipher text password contains 56 or 68 characters.
Enter password:           //Enter a new password.
Confirm password:           //Enter the new password again.
    • To enter the BIOS menu of an AP, restart the device, press Ctrl+B when prompted, and enter the BIOS password.
      Press CTRL+B to enter BOOT menu: 0

Password:      //Enter the BIOS password.

//The menu content varies according to the actual situation.
        Main Menu

    1. Default startup
    2. Serial submenu
    3. Ethernet submenu
    4. Startup parameters submenu
    5. List file
    6. Password manager submenu
    7. Restore factory defaults
    8. Reboot

Enter your choice(1-8):      //Enter a number to access the corresponding menu.

      To prevent service data loss caused by misoperations, do not modify the configuration in the BIOS menu unless you fully understand the functions and operation impacts of each menu item. If necessary, use the BIOS menu under the guidance of technical support personnel.

Common Causes and Troubleshooting Methods for Login Failures

Common causes for login failures include the network disconnection, disabled service, access policy blocking, and insufficient account permission. The following table lists typical troubleshooting cases.

Symptom

Troubleshooting Case

Failed to ping the IP address of the device.

Login Failure Due to Network Disconnection

Login Failure Due to Management Plane Isolation

The IP address of the device can be pinged, but the login page cannot be displayed.

Login Failure Because Services Are Not Enabled

Login Failure Due to ACL Policy Blocking

Login Failure Due to Incorrect Configurations of Service Source Interfaces

Login Failure Because Service Ports Are Blocked by a Firewall

The login page can be displayed, but the login fails.

Login Failure Due to Account Lockout

Login Failure Due to Insufficient Account Permission

Login Failure Because the Number of Concurrent Login Sessions Using an Account Reaches the Upper Limit

For more fault locating methods, see the following topics in the Maintenance Guide:

Troubleshooting: SSH Login Fails or Login Fails Through Telnet

Troubleshooting: Web Login Fails

Login Failure Due to Network Disconnection

Symptom

Failed to ping the IP address of a device.

Involved Products

AC and AP

Login Mode

  • Network port
  • Management SSID

Possible Causes

  • The network cable is loose or the management SSID fails to be associated.
  • The IP address of the STA is incorrect.

Troubleshooting Procedure

  1. Check whether the physical connection between the STA and the device is correct.

    • In network port login mode, check whether the network cable is loose.
    • In management SSID login mode, check whether the association is successful.

  2. Check whether the IP address of the network port on the STA is in the same network segment as the IP address of the device.

    If the STA associates with a Fat AP through the management SSID, check whether the wireless network adapter of the STA can obtain a correct IP address.

Login Failure Due to Management Plane Isolation

Symptom

The IP address of the device cannot be pinged.

Involved Products

AC

Login Mode

Network port

Possible Causes

Management plane isolation is configured, and the login through service network ports is not allowed.

Troubleshooting Procedure

  1. Log in to the device through the console port.
  2. Disable the management plane isolation function.

    • If an AC has a management network port, you can log in through the management network port.
      By default, an AC with a management network port does not allow for the login through a service network port. To enable the login to the AC through service network ports, cancel this restriction by referring to methods described in the following table.

      Method for Allowing the Login Through Service Network Ports

      Description

      Method 1: Configure a service network port as the management network port.

      Run the management-interface command on the VLANIF interface corresponding to the service network port. A maximum of four VLANIF interfaces can be configured as management network ports.

      Method 2: Disable the management plane isolation function globally.

      Run the mgmt isolate disable command in the system view to disable management plane isolation globally to allow users to log in to the device through all service network ports. Considering potential security risks, this method is not recommended.
    • If an AC does not have a management network port, you can log in to it only through a service network port.
      By default, an AC without a management network port allows for the login through service network ports. You can configure the VLANIF interface to which the target network port belongs as the management network port to restrict the login from other network ports, improving security.

      Method for Allowing the Login Through Service Network Ports

      Description

      Method 1: Cancel the configurations of all management network ports.

      Run the display current-configuration command to check the configuration file and delete all management-interface configurations. This condition is naturally met on an AC with factory defaults.

      Method 2: Configure the target service network port as the management network port.

      If the management-interface command is configured on a VLANIF interface, other VLANIF interfaces without this configuration cannot be used to log in to the device. Run the management-interface command on the VLANIF interface corresponding to the target service network port to log in to the AC. A maximum of four VLANIF interfaces can be configured as management network ports.

Login Failure Because Services Are Not Enabled

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

  • Network port
  • Management SSID

Possible Causes

Services are not enabled.

Troubleshooting Procedure

  1. Log in to the device through the Bluetooth serial port or console port.
  2. Check whether services are enabled and perform corresponding operations.

    • To log in to the device through STelnet, ensure that the STelnet service has been enabled on the device.
      <Huawei> display ssh server status
...
 Stelnet server       :Enable  //Enable indicates that the STelnet service is enabled.
...

      Product

      How to Start the STelnet Service

      AC

      stelnet server enable (system view)

      Fat AP

      Cloud AP

      Fit AP

      undo stelnet server disable (AP system profile view) on the AC
    • To log in to the device through Telnet, check whether the Telnet service is enabled.
      <Huawei> display telnet server status
 TELNET IPV4 server   :Enable //Enable indicates that the Telnet service (IPv4) is enabled.
 TELNET IPV6 server   :Enable //Enable indicates that the Telnet service (IPv6) is enabled.
...

      Product

      How to Enable the Telnet Service

      AC

      telnet [ ipv6 ] server enable (system view)

      Fat AP

      telnet server enable (system view)

      Cloud AP

      Fit AP

      telnet enable (AP system profile view) on the AC
    • To log in to the device using a web browser, check whether the HTTPS/HTTP service is enabled.
      <Huawei> display http server
  HTTP server status    : Enabled  (default: enable)  //Enabled indicates that the HTTP service is enabled.
...
  HTTPS server status   : Enabled  (default: enable)  //Enabled indicates that the HTTPS service is enabled.
...

      Product

      How to Enable the HTTP/HTTPS Service

      AC

      http server enable (system view)

      http secure-server enable (system view)

      Fat AP

      Cloud AP

      Fit AP

      This function is enabled by default and cannot be disabled.

Login Failure Due to ACL Policy Blocking

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

  • Network port
  • Management SSID

Possible Causes

The login protocol or IP address of the STA is blocked by an existing policy.

Troubleshooting Procedure

  1. Log in to the device through the Bluetooth serial port or console port.
  2. View the VTY configuration to check whether an ACL policy that restricts access exists or whether the specified protocol can be used for the login.

    <AC> system-view
[AC] user-interface vty 0 4
[AC-ui-vty0-4] display this
...
user-interface vty 0 4
 acl 3000 inbound        //Run the display acl 3000 command to check whether ACL 3000 is used to restrict access to the device.
 authentication-mode aaa
 protocol inbound ssh    //If the specified login protocol is not included, run the protocol inbound { all | ssh | telnet } command to enable it.
...
[AC-ui-vty0-4] display acl 3000      //Display the configuration of ACL 3000.
Advanced ACL 3000, 1 rule
Acl's step is 5
rule 5 permit tcp destination 169.254.1.1 0   //This rule permits only the access to the destination address 169.254.1.1.
rule 6 deny tcp source-port eq 22             //This rule denies the access to the destination port 22.

    Assume that you need to log in to the device with the IP address of 192.168.1.1 from the PC with the IP address of 192.168.1.100 through STelnet (port number: 22). To ensure successful login, ensure that ACL rules on the user interface allow for the assumed access.

    [AC-ui-vty0-4] quit
[AC] acl 3000
[AC-acl-adv-3000] undo rule 5
[AC-acl-adv-3000] rule permit tcp source 192.168.1.100 0  //Permit the TCP access from the source IP address 192.168.1.100.
[AC-acl-adv-3000] rule permit tcp source-port eq 22       //Permit the TCP access from the source port 22.
[AC-acl-adv-3000] rule permit tcp destination 192.168.1.1 0  //Permit the TCP access to the destination IP address 192.168.1.1.
[AC-acl-adv-3000] rule permit tcp destination-port eq 22      //Permit the TCP access to the destination port 22.

Login Failure Due to Incorrect Configurations of Service Source Interfaces

Symptom

The IP address of the device can be pinged, but the login page cannot be displayed.

Involved Products

AC and AP

Login Mode

Network port

Possible Causes

The service source interface configuration is inconsistent with the actual connection.

Troubleshooting Procedure

  1. Log in to the device through the Bluetooth serial port or console port.
  2. Check whether the STelnet, Telnet, HTTPS, and HTTP source interface configurations are consistent with the physical connections.

    To prevent unauthorized logins, the AC and AP provide the source interface-based login mechanism. Only terminals with the specified source interfaces can log in to the device. To log in to the device through a physical network port, ensure that this port is within the range allowed by the policy. By default, all physical network ports can be used to log in to the device.

    From V200R019C10, login security is further improved on the AC and Fat AP. The Layer 3 interface to which a network port belongs must be within the range allowed by the policy. For a device with a management network port (such as the AC6805), its management network is used as the Layer 3 source interface by default. For a device without a management network port (such as the AC6508), VLANIF 1 is used as the Layer 3 source interface by default.

    • To log in to the device using STelnet, check whether the STelnet source interface configuration is consistent with the physical connection.
      <Huawei> display current-configuration | include ssh server permit interface
ssh server permit interface GigabitEthernet0/0/4  //Physical network ports that are not displayed cannot be used for logging in to the device through STelnet. If this line is not displayed, any physical network ports can be used for the login.
<Huawei> display ssh server status
...
 SSH server source interface         :Vlanif1     //The Layer 3 source interface of the STelnet server is VLANIF 1.

      The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device through STelnet. To use STelnet to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the STelnet source interface configuration as follows:

      <Huawei> system-view
[Huawei] ssh server permit interface GigabitEthernet 0/0/2
[Huawei] ssh server-source -i vlanif 100
Warning: This operation will lead to connection interruptions. Continue? [Y/N]y
    • To log in to the device using Telnet, check whether the Telnet source interface configuration is consistent with the physical connection.
      <Huawei> display current-configuration | include telnet server permit interface
telnet server permit interface GigabitEthernet0/0/4  //Physical network ports that are not displayed cannot be used for logging in to the device through Telnet. If this line is not displayed, any physical network ports can be used for the login.
<Huawei> display telnet server status
...
 TELNET server source interface      :Vlanif1     //The Layer 3 source interface of the Telnet server is VLANIF 1.

      The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device through Telnet. To use Telnet to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the Telnet source interface configuration as follows:

      <Huawei> system-view
[Huawei] telnet server permit interface GigabitEthernet 0/0/2
[Huawei] telnet server-source -i vlanif 100
Warning: This operation will lead to connection interruptions. Continue? [Y/N]y
    • To log in to the device using a web browser, check whether the HTTP/HTTPS source interface configuration is consistent with the physical connection.
      <Huawei> display http server
...
  HTTP server permit interface : GigabitEthernet0/0/4   //The physical source interface of the HTTP/HTTPS server is GigabitEthernet0/0/4.
  HTTPS server source interface: Vlanif1                //The Layer 3 source interface of the HTTP/HTTPS server is VLANIF 1.

      The preceding command output shows that only GigabitEthernet0/0/4 and VLANIF 1 can be used for logging in to the device using a web browser. To use a web browser to log in to the device through GigabitEthernet0/0/2 with the PVID of VLAN 100, modify the HTTP/HTTPS source interface configuration as follows:

      <Huawei> system-view
[Huawei] http server permit interface GigabitEthernet 0/0/2
Warning: This operation may affect the built-in Portal authentication and Portal escape function. Continue? (y/n)[n]:y
[Huawei] http secure-server server-source -i vlanif 100
Warning: This operation will lead to connection interruptions.Continue? [Y/N]y

Login Failure Because Service Ports Are Blocked by a Firewall

Symptom

The login page cannot be opened, but the device IP address can be pinged.

Involved Products

AC and AP

Login Mode

Network port

Possible Causes

Service ports are blocked by a firewall.

Troubleshooting Procedure

  1. Log in to the device through the Bluetooth serial port or console port.
  2. If a firewall exists between the PC and the device, check the firewall security policy and ensure that service ports are enabled.

    To log in to the device through STelnet from the PC, ensure that the firewall security policy allows for TCP port 22-based communication between the source and destination IP addresses.

    Communication Protocol

    Basic Protocol

    Common Port

    STelnet

    TCP

    22

    Telnet

    TCP

    23

    HTTPS

    TCP

    443

    HTTP

    TCP

    80

Login Failure Due to Account Lockout

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

  • Network port
  • Management SSID
  • Bluetooth serial port
  • Console port

Possible Causes

  • The account is locked because the number of consecutive login failures exceeds the threshold.
  • The account is manually locked.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01.

  1. Log in to the device using another account or method.
  2. Query the status of the account that fails to log in.

    <Huawei> display local-user username user01
...
  State                : block    //Account state. active indicates that the account is activated, and block indicates that the account is locked.
...

    If the value of State is block, the account is locked. Run the following commands to activate the account:

    <Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user01 state active

Login Failure Due to Insufficient Account Permission

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

  • Network port
  • Management SSID
  • Bluetooth serial port
  • Console port

Possible Causes

The local account does not support the access type.

Troubleshooting Procedure

Assume that this problem occurs when the account user01 is used to log in to the device through a web browser.

  1. Log in to the device using another account or method.
  2. Query the access types supported by the account that fails to log in.

    <Huawei> display local-user username user01
...
  Service-type-mask    : TS     //Access type. Common access types include A (all types), T (Telnet), S (STelnet), H (HTTP), and M (Console).
...

    If Service-type-mask does not contain the specified access type, add the access type as required.

    <Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user01 service-type http

    The common command format is local-user username service-type { ssh | telnet | http | terminal }, where terminal indicates the console login mode.

Login Failure Because the Number of Concurrent Login Sessions Using an Account Reaches the Upper Limit

Symptom

A login failure message is displayed.

Involved Products

AC, Fat AP, and cloud AP

Login Mode

  • Network port
  • Management SSID
  • Bluetooth serial port
  • Console port

Possible Causes

The number of concurrent logins reaches the upper limit.

Troubleshooting Procedure

Assume that this problem occurs when you log in to the device using the account user01.

  1. Log in to the device using another account or method.
  2. Query detailed information about the account that fails to log in, and then handle the problem accordingly.

    <Huawei> display local-user username user01
...
  Access-limit         : Yes    //Whether to limit the number of access accounts.
  Access-limit-max     : 3    //Maximum number of access accounts.
  Accessed-num         : 3    //Current number of access accounts.
...

    If the value of Access-limit is Yes, the number of access sessions using an account is limited. When the number of access sessions using an account reaches the upper limit, the account cannot be used to log in to new sessions.

    You can run the following commands to change the maximum number of sessions allowed for an account so that the account can be used to log in to more sessions.

    <Huawei> system-view
[Huawei] aaa
[Huawei-aaa] local-user user01 access-limit 4

FAQ: How Do I Know Whether an AP Supports Bluetooth?

  • Method 1: Visit Info-Finder and search for the model or part number of the target AP. You can check whether the AP supports Bluetooth through the specification item BLE. If the corresponding specification item cannot be found, the AP does not support the Bluetooth function.
  • Method 2: Search WLAN Product Description for the target AP model. If Bluetooth is found in the "Product Characteristics" section, the AP supports Bluetooth.

FAQ: How Can I Obtain the MAC Address of an AP?

If an AP is not fixed to the installation position, check the MAC address on the nameplate on the rear of the AP. You can also view the MAC address of the AP on the SN/MAC label delivered with the AP.

If the AP has been installed and powered on, you can obtain its MAC address of the AP in either of the following ways:

Querying an AP's MAC Address by AP ID or AP Name

In the AC + Fit AP, leader AP + Fit AP, or Fat central AP + RU networking, you can query an AP's MAC address based on the AP ID or AP name on the AC, leader AP, or Fat central AP, respectively.

In the following example, an AP's MAC address can be obtained based on the ID or name.

<Huawei> display ap all
...
------------------------------------------------------------------------------------------------------------------------------
ID    MAC            Name           Group    IP              Type                 State  STA  Uptime         ExtraInfo
------------------------------------------------------------------------------------------------------------------------------
...
3     00e0-fcbc-f020 ap-003        default  192.168.166.226 AirEngine8760-X1-PRO nor    40   8D:3H:57M:37S  -
...

In the cloud AP networking, you can view the MAC address of a cloud AP on the device management page of iMaster NCE-Campus.

Querying an AP's MAC Address Based on the Signal Strength

If few interference sources exist around the target AP, use the Find AP function of the CloudCampus APP to obtain its MAC address based on the signal strength near the target AP.

  1. Start the CloudCampus APP on the smartphone and choose Tool > Find AP.

  2. Find the AP with the strongest signal strength and check its MAC address.

    • Searching for APs by SSID signal strength

      Touch the device with the top signal strength in the Wi-Fi list. If the signal strength corresponds to multiple devices, touch the top device.

      The MAC address (as shown in the red box in the following figure) displayed on the Details screen is the MAC address of the target AP.

    • Searching for APs by Bluetooth signal strength

      Touch the Bluetooth List tab. If any application requests to enable Bluetooth, touch ALLOW.

      The name (as shown in the red box in the following figure) with the top Bluetooth signal strength is the MAC address of the target AP.

  3. Trigger indicator blinking by MAC address. Observe the indicator on the target AP and verify that the MAC address obtained in step 2 is that of the target AP.

    After the indicator blinking function is triggered, the indicator of the target AP blinks red or orange and green alternatively within a short period of time. If the indicator of the target AP does not blink, strong interference may exist around the AP. In this case, repeat step 2 to find the MAC address with the second strongest signal strength and try again.

    Product

    How to Blink Indicators

    Fit AP

    Run the led blink-time blink-time ap-mac ap-mac command on the AC.

    Log in to the Fit AP and run the led blink-time blink-time command.

    Fat AP

    (V200R019C00 or earlier) Run the led blink-time blink-time command on the Fat AP.

    (V200R019C10 or later) Run the led blink-time blink-time ap-mac ap-mac command on the Fat AP.

    Cloud AP

    On the device management page of iMaster NCE-Campus, find the device based on the MAC address, view the device details, and click Blink.

FAQ: What Can I Do If an AP Fails to Detect Surrounding Bluetooth Signals and the Management SSID?

For Fit APs and cloud APs, the Bluetooth serial port and management SSID functions are automatically disabled after APs go online by default. When an AP goes offline, the Bluetooth serial port and management SSID functions are enabled again.

You can run the console ble-mode persistent command on the AC or leader AP to configure the Bluetooth serial port function of the target Fit AP to be always enabled.

FAQ: Why Does the Login to a Cloud AP Using the Original Account and Password Fail After the Cloud AP Goes Online on iMaster NCE-Campus?

The local account and password configurations of cloud APs take effect only before the cloud APs go online. After the APs go online, iMaster NCE-Campus delivers new device login accounts to them. Therefore, if a cloud AP successfully goes online on iMaster NCE-Campus, the account and password delivered by iMaster NCE-Campus are effective for you to log in to the cloud AP.

FAQ: What Can I Do If I Forget the Login Password?

If you forget the password, take measures by referring to the Troubleshooting WLAN Password Issues.

Translation
简体中文
Download
Updated: 2023-03-28

Document ID: EDOC1100197507

Views: 16364

Downloads: 555

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :