No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Portal Authentication Page Cannot Be Displayed in Some Browsers After Portal Authentication Is Deployed on the Native AC of the S12708 Connected to the Agile Controller

Publication Date:  2019-07-17 Views:  81 Downloads:  0

Issue Description

On the live network, the X1E card on the S12708 running V200R009C00SPC500 is used as the AC, and the Agile Controller V100R003C30 is used to provide the portal authentication service. The switch and Agile Controller have been configured following the instruction in "Example for Configuring Unified Access for Wired and Wireless Users" in the S12700 product documentation. The configuration is as follows:

#

authentication-profile name portal    ---------Creates an account and password authentication profile named portal.

mac-access-profile acc_mac            --------Invokes the MAC access profile named acc_mac.

portal-access-profile portal          --------Invokes the portal access profile named portal.

free-rule-template default_free_rule  --------Invokes the authentication-free rule profile named default_free_rule.

access-domain portal force 

#

radius-server template policy         ------Creates a RADIUS server template named policy.

radius-server shared-key cipher xxx    ------Shared key of a RADIUS server (key: xxxxx)

radius-server authentication X.X.X.X 1812 source ip-address X.X.X.X weight 80       ------Configures a RADIUS authentication server, specifying the IP address of the server and the source IP address of RADIUS packets.

radius-server accounting X.X.X.X 1813 source ip-address X.X.X.X weight 80           ------Configures a RADIUS accounting server, specifying the IP address of the server and the source IP address of RADIUS packets.

undo radius-server user-name domain-included         ------Configures a device not to encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS server.

radius-server authorization X.X.X.X shared-key cipher xxx     -----Configures a RADIUS authorization server, specifying the IP address and shard key of the server.

#

acl number 3001        -------Network resources that can be accessed in the post-authentication domain.             

rule 100 permit ip   

#

free-rule-template name default_free_rule                -------Configures an authentication-free rule profile named default_free_rule.

free-rule acl 6000                                       -------Creates an ACL.

free-rule 1 destination ip x.x.x.x mask 255.255.255.255  -------Permits the IP address of the authentication server.

free-rule 2 destination ip x.x.x.x mask 255.255.255.255  -------Permits the IP address of the DNS server.

#

web-auth-server portal    -------Web authentication server template named portal

server-ip x.x.x.x         -------Server IP address

port 50200                -------Server port number for communication

shared-key cipher xxx   ------Communication key xxxxx

url http://x.x.x.x:8080/portal           ------Pushed URL address: http://Authentication server IP:8080/portal

url-template weixin                       ------Invokes the URL template named weixin.

source-ip x.x.x.x                         ------Source IP address used to communication with the authentication server

server-detect interval 100 max-times 5 critical-num 1 action log  ------Portal server detection and escape function

#

portal-access-profile name portal       -------Portal access profile named portal

authentication event portal-server-down action authorize service-scheme taosheng-91    -------Invokes the escape service template taosheng-91 when the authentication server is down.

authentication event portal-server-up action re-authen     -------Enables a device to re-authenticate users, protecting account validity.

web-auth-server portal direct                              -------Invokes the Web authentication server template portal, specifying the direct connection mode. (The direct connection mode applies when the terminal and AC can communicate at Layer 2).

#

aaa

authentication-scheme default

authentication-scheme radius

authentication-mode radius

authorization-scheme default

accounting-scheme default

accounting-scheme radius

accounting-mode radius

accounting realtime 15        ------Accounting time, which is the same as that on the authentication server

service-scheme taosheng

user-vlan 90

service-scheme taosheng_1

user-vlan 99

service-scheme taosheng_2

user-vlan 98

service-scheme taosheng-91    -------Escape service template in VLAN 91

user-vlan 91

domain default

authentication-scheme default

domain default_admin                     

authentication-scheme default

domain portal                 -------User domain named portal

authentication-scheme radius  -------Invokes the RADIUS authentication profile named radius.

accounting-scheme radius      -------Invokes the RADIUS accounting profile named radius.

radius-server policy          -------Invokes the RADIUS server template named policy.

local-user admin password irreversible-cipher xxx

local-user admin privilege level 15

local-user admin ftp-directory flash:\

local-user admin service-type telnet terminal ftp http

vap-profile name 91           -------VAP profile named 91 for account and password authentication

forward-mode tunnel                     

service-vlan vlan-id 91                 

ssid-profile 91                         

security-profile 90                     

authentication-profile portal -------Invokes the authentication profile portal in the VAP

#

After the related parameters are configured on the Agile Controller, use the mobile phone to perform the association test. The test shows that when some Android phones use the built-in browser to access the wireless network, the portal authentication page is displayed automatically. The portal authentication page is not displayed when other Android phones or iPhones access the wireless network.

Handling Process

Check whether the portal authentication service is normal. Use the Android phones to access the wireless network and then manually enter the portal authentication page URL http://x.x.x.x:8080/portal in the address box of the browser. The portal authentication page can be properly displayed on all the Android phones, which means that the authentication server is working properly.

Use the Android phones to associate with the wireless network multiple times. In the built-in browser, click other applications to check whether the problem is caused by the browser cache. After the browser cache is cleared, the portal authentication page can still be displayed on the browser of some Android phones. The other Android phones can jump to the portal authentication page from non-HTTPS pages, but cannot jump to the portal authentication page from HTTPS pages. The authentication server may have restrictions on the browser displaying HTTPS pages. Therefore, check the Agile Controller settings on the switch and check the configuration example in the product documentation. The comparison result shows that no problem is found.

Run the display current command to check the native AC configuration. The undo portal https-redirect enable command is found configured in the system view. The problem may be caused by this configuration. Change to command to portal https-redirect enable, and run a command to re-deliver the WLAN configuration. Test again, and it is found that the browser can jump to the portal authentication page from HTTPS pages.

Check the command in the product documentation. It is found that the portal https-redirect enable command is configured by default in this version. After communication with the agent, it is found that the agent's engineers have modified the configuration but this problem persists. So they contact the vendor to handle the problem. They may have disabled the function during the configuration modification.

Root Cause

The HTTPS redirection function for Portal authentication is not enabled on the native AC. As a result, the browser cannot jump to the portal authentication page from HTTPS pages.

Solution

Enable HTTPS redirection function (portal https-redirect enable) for Portal authentication globally.

 

Suggestions

It is recommended that when processing a network problem reported by a customer, ask the customer to provide their processing information, original configuration, and modified configuration. If the information cannot be provided, configure the device following the configuration example in the product documentation. For the connection problems, you are advised to use the step-by-step troubleshooting method to locate the fault.

END