On the live network, the X1E card on the S12708 running V200R009C00SPC500 is used as the AC, and the Agile Controller V100R003C30 is used to provide the portal authentication service. The switch and Agile Controller have been configured following the instruction in "Example for Configuring Unified Access for Wired and Wireless Users" in the S12700 product documentation. The configuration is as follows:
authentication-profile name portal ---------Creates an account and password authentication profile named portal.
mac-access-profile acc_mac --------Invokes the MAC access profile named acc_mac.
portal-access-profile portal --------Invokes the portal access profile named portal.
free-rule-template default_free_rule --------Invokes the authentication-free rule profile named default_free_rule.
access-domain portal force
radius-server template policy ------Creates a RADIUS server template named policy.
radius-server shared-key cipher xxx ------Shared key of a RADIUS server (key: xxxxx)
radius-server authentication X.X.X.X 1812 source ip-address X.X.X.X weight 80 ------Configures a RADIUS authentication server, specifying the IP address of the server and the source IP address of RADIUS packets.
radius-server accounting X.X.X.X 1813 source ip-address X.X.X.X weight 80 ------Configures a RADIUS accounting server, specifying the IP address of the server and the source IP address of RADIUS packets.
undo radius-server user-name domain-included ------Configures a device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.
radius-server authorization X.X.X.X shared-key cipher xxx -----Configures a RADIUS authorization server, specifying the IP address and shard key of the server.
acl number 3001 -------Network resources that can be accessed in the post-authentication domain.
rule 100 permit ip
free-rule-template name default_free_rule -------Configures an authentication-free rule profile named default_free_rule.
free-rule acl 6000 -------Creates an ACL.
free-rule 1 destination ip x.x.x.x mask 255.255.255.255 -------Permits the IP address of the authentication server.
free-rule 2 destination ip x.x.x.x mask 255.255.255.255 -------Permits the IP address of the DNS server.
web-auth-server portal -------Web authentication server template named portal
server-ip x.x.x.x -------Server IP address
port 50200 -------Server port number for communication
shared-key cipher xxx ------Communication key xxxxx
url http://x.x.x.x:8080/portal ------Pushed URL address: http://Authentication server IP:8080/portal
url-template weixin ------Invokes the URL template named weixin.
source-ip x.x.x.x ------Source IP address used to communication with the authentication server
server-detect interval 100 max-times 5 critical-num 1 action log ------Portal server detection and escape function
portal-access-profile name portal -------Portal access profile named portal
authentication event portal-server-down action authorize service-scheme taosheng-91 -------Invokes the escape service template taosheng-91 when the authentication server is down.
authentication event portal-server-up action re-authen -------Enables a device to re-authenticate users, protecting account validity.
web-auth-server portal direct -------Invokes the Web authentication server template portal, specifying the direct connection mode. (The direct connection mode applies when the terminal and AC can communicate at Layer 2).
accounting realtime 15 ------Accounting time, which is the same as that on the authentication server
service-scheme taosheng-91 -------Escape service template in VLAN 91
domain portal -------User domain named portal
authentication-scheme radius -------Invokes the RADIUS authentication profile named radius.
accounting-scheme radius -------Invokes the RADIUS accounting profile named radius.
radius-server policy -------Invokes the RADIUS server template named policy.
local-user admin password irreversible-cipher xxx
local-user admin privilege level 15
local-user admin ftp-directory flash:\
local-user admin service-type telnet terminal ftp http
vap-profile name 91 -------VAP profile named 91 for account and password authentication
service-vlan vlan-id 91
authentication-profile portal -------Invokes the authentication profile portal in the VAP
After the related parameters are configured on the Agile Controller, use the mobile phone to perform the association test. The test shows that when some Android phones use the built-in browser to access the wireless network, the portal authentication page is displayed automatically. The portal authentication page is not displayed when other Android phones or iPhones access the wireless network.
Check whether the portal authentication service is normal. Use the Android phones to access the wireless network and then manually enter the portal authentication page URL http://x.x.x.x:8080/portal in the address box of the browser. The portal authentication page can be properly displayed on all the Android phones, which means that the authentication server is working properly.
Use the Android phones to associate with the wireless network multiple times. In the built-in browser, click other applications to check whether the problem is caused by the browser cache. After the browser cache is cleared, the portal authentication page can still be displayed on the browser of some Android phones. The other Android phones can jump to the portal authentication page from non-HTTPS pages, but cannot jump to the portal authentication page from HTTPS pages. The authentication server may have restrictions on the browser displaying HTTPS pages. Therefore, check the Agile Controller settings on the switch and check the configuration example in the product documentation. The comparison result shows that no problem is found.
Run the display current command to check the native AC configuration. The undo portal https-redirect enable command is found configured in the system view. The problem may be caused by this configuration. Change to command to portal https-redirect enable, and run a command to re-deliver the WLAN configuration. Test again, and it is found that the browser can jump to the portal authentication page from HTTPS pages.
Check the command in the product documentation. It is found that the portal https-redirect enable command is configured by default in this version. After communication with the agent, it is found that the agent's engineers have modified the configuration but this problem persists. So they contact the vendor to handle the problem. They may have disabled the function during the configuration modification.
The HTTPS redirection function for Portal authentication is not enabled on the native AC. As a result, the browser cannot jump to the portal authentication page from HTTPS pages.
Enable HTTPS redirection function (portal https-redirect enable) for Portal authentication globally.
It is recommended that when processing a network problem reported by a customer, ask the customer to provide their processing information, original configuration, and modified configuration. If the information cannot be provided, configure the device following the configuration example in the product documentation. For the connection problems, you are advised to use the step-by-step troubleshooting method to locate the fault.