Symptom: The PC authentication is a Layer 3 web authentication and it can enter the pre-authentication domain and obtain the IP address. After the web page is displayed, the authentication fails even though the user name and password is entered. The failure reason is "authentication times out". No message is displayed in the "debug web packet".
1. During the process, the web server and BAS configuration (whether the key is correct or whether the server is a supported one) are checked. The BAS configured web-au-server address and address sends from the Web server to the BAS are correct.
2. Packets are captured and it is found that the BAS upstream port receives the UDP packets from Web and the destination port number is 2000.
3. However, no message is displayed in the "debug web packet" still. It is for sure that the BAS discards the challenge req packet. Finally, it is found that the message is delivered in the global inbound direction.
acl number 6000
rule 190 permit udp destination-port eq 2000
traffic classifier vir-deny operator or
if match acl 6000
traffic behavior vir-deny
traffic policy vir-deny
classifier vir-deny behavior vir-deny
traffic-policy vir-deny inbound
In this case, the UDP packet on the 2000 port in the egress direction is forbidden. However, the challenge req packet is the UDP packet whose destination address is 2000. The problem is resolved after this rule is cancelled.
Because no message is displayed for the "debug web packet", there are three possible reasons:
1. The Web server does not send the challenge req packet and the Web server and BAS configuration must be checked to exclude possible causes such as whether the key is correct or whether the server is a supported one.
2. The Web server sends the challenge req packet but the device fails to receive it. The possible cause include link fault, incorrect web-au-server address configured in the BRAS, and incorrect address the Web server send to the BRAS.
3. The Web server sends the challenge req packet but the device discards it or filters it.
In conditions where the web-auth-server listening-port is the default one, the number of the port that receives packets on the device is 2000. Therefore, you must add ports to the anti-virus list carefully to avoid port access limitations.