No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Incorrect User Name and Password for MA5200G Web Authentication Due to the Masked Port Number for Receiving Web Packets

Publication Date:  2013-09-30 Views:  118 Downloads:  0

Issue Description

Networking: PCrouterBRASweb
Symptom: The PC authentication is a Layer 3 web authentication and it can enter the pre-authentication domain and obtain the IP address. After the web page is displayed, the authentication fails even though the user name and password is entered. The failure reason is "authentication times out". No message is displayed in the "debug web packet".

Handling Process

1. During the process, the web server and BAS configuration (whether the key is correct or whether the server is a supported one) are checked. The BAS configured web-au-server address and address sends from the Web server to the BAS are correct.
2. Packets are captured and it is found that the BAS upstream port receives the UDP packets from Web and the destination port number is 2000.
3. However, no message is displayed in the "debug web packet" still. It is for sure that the BAS discards the challenge req packet. Finally, it is found that the message is delivered in the global inbound direction.
acl number 6000 
rule 190 permit udp destination-port eq 2000
traffic classifier vir-deny operator or
if match acl 6000                                                                                   
traffic behavior vir-deny                                                       
traffic policy vir-deny                                                         
 classifier vir-deny behavior vir-deny      
traffic-policy vir-deny inbound        
In this case, the UDP packet on the 2000 port in the egress direction is forbidden. However, the challenge req packet is the UDP packet whose destination address is 2000. The problem is resolved after this rule is cancelled.

Root Cause

Because no message is displayed for the "debug web packet", there are three possible reasons:
1. The Web server does not send the challenge req packet and the Web server and BAS configuration must be checked to exclude possible causes such as whether the key is correct or whether the server is a supported one.
2. The Web server sends the challenge req packet but the device fails to receive it. The possible cause include link fault, incorrect web-au-server address configured in the BRAS, and incorrect address the Web server send to the BRAS.
3. The Web server sends the challenge req packet but the device discards it or filters it.




In conditions where the web-auth-server listening-port is the default one, the number of the port that receives packets on the device is 2000. Therefore, you must add ports to the anti-virus list carefully to avoid port access limitations.