Wireless Portal authentication is configured on the S12708 and Policy Center. The VPN instance XX is bound to VLANIF 256 of the switch for communication with the Portal server.
Authentication fails and no authentication records are displayed on the Portal server.
The configuration on the switch is as follows:
sysname Core_S12708
#
set net-manager vpn-instance XX
#
ip vpn-instance XX
ipv4-family
route-distinguisher 65535:4
vpn-target 65535:4 export-extcommunity
vpn-target 65535:4 65535:3 65535:5 65535:6 65535:7 65535:8 65535:9 65535:10 import-extcommunity
vpn-target 65535:11 import-extcommunity
#
radius-server template radius_huawei
radius-server shared-key cipher %@%@MhYHRn’xG)G`2&)0kQb@w#B:%@%@
radius-server authentication 172.16.2.146 1812 vpn-instance XX source ip-address 10.66.1.1 weight 80
radius-server accounting 172.16.2.146 1813 vpn-instance XX source ip-address 10.66.1.1 weight 80
radius-server authorization 172.16.2.146 shared-key cipher %@%@>U:l~MJa=C8^U’9fmZ-4+q=4%@%@
#
url-template name urlTemplate_0
#
web-auth-server huawei
server-ip 172.16.2.146
port 50200
shared-key cipher %@%@1s9zQui#nH`s%U47Ce~–%rA%@%@
url http://172.16.2.146:8080/portal
#
aaa
authentication-scheme default
authentication-scheme radius_huawei
authentication-mode radius
authorization-scheme default
accounting-scheme default
accounting-scheme radius_huawei
accounting-mode radius
domain default
authentication-scheme radius_huawei
accounting-scheme radius_huawei
radius-server radius_huawei
domain default_admin
#
interface Vlanif256
ip binding vpn-instance XX
ip address 10.66.1.1 255.255.255.0
#
#
authentication free-rule 1 destination ip 172.16.2.146 mask 255.255.255.255
#
WLAN configurations are omitted.
The configuration on the Policy Center is as follows:
User account setting:
modify account
Access device setting:
modify device
Authorization rule setting:
Authorization rule
Handling Process
Step 1 Run the test-aaa command to test the authentication account on the switch. User authentication fails. Enable debugging of RADIUS packets on the switch. The switch receives a message with the error code 4117, indicating that account authorization fails.
<Core_S12708>test-aaa 123 Admin123 radius-template radius_huawei
<Core_S12708>
Error: User name or password is wrong.
<Core_S12708>
Apr 23 2015 13:30:25.115.1 Core_S12708 RDS/7/DEBUG:
RADIUS Sent a Packet.
<Core_S12708>
Apr 23 2015 13:30:25.115.2 Core_S12708 RDS/7/DEBUG:
Server Template: 0
Server IP : 172.16.2.146
Protocol: Standard
Code : 1
Len : 156
ID : 118
[User-Name ] [5 ] [123]
[CHAP-Password ] [19] [c1 45 ee 4e 8a 81 68 5e 5c bf 55 16 f7 18 2e e0 08 ]
[CHAP-Challenge ] [18] [a6 de 82 54 33 fb 6d 61 d8 75 2c 98 a3 e5 3f 6a ]
[Service-Type ] [6 ] [2]
[Framed-Protocol ] [6 ] [1]
[NAS-Identifier ] [13] [Core_S12708]
[NAS-Port-Type ] [6 ] [15]
[Acct-Session-Id ] [37] [Core_S1000000000000002dd550f3001055]
[NAS-IP-Address ] [6 ] [10.66.1.1]
<Core_S12708>
Apr 23 2015 13:30:25.145.1 Core_S12708 RDS/7/DEBUG:
RADIUS Received a Packet.
<Core_S12708>
Apr 23 2015 13:30:25.145.2 Core_S12708 RDS/7/DEBUG:
Server Template: 0
Server IP : 172.16.2.146
Server Port : 1812
Protocol: Standard
Code : 3
Len : 34
ID : 118
[Reply-Message ] [14] [ErrCode:4117]
<Core_S12708>
Step 2 Test the Portal authorization policy based on configuration requirement. Compare the policy reported to the RADIUS server and the preset customized condition for wireless access on the Policy Center. The result shows that the value of NAS-Port-Type in the preset customized condition is different from the value of [NAS-Port-Type] [6] [15] in reported packets. Delete the customized condition and run the test-aaa command again to test the account. The account passes the test, but users still fail the Portal authentication.
modify cunstomcondition
Step 3 Obtain packets on the Portal server. The analysis shows that the Portal server sends three Challenge requests to the switch but receives no response. The Portal server also sends logout request packets to the switch but receives no response. No RADIUS authentication request is initiated further. No relevant RADIUS authentication logs of this account are displayed on the Portal server. As a result, the switch configuration needs to be verified.
switch configuration
Note: A relevant Portal plug-in needs to be installed to filter packets. If the Portal plug-in is not installed, you can filter packets as follows: Packets staring with 0201 and 0205 indicate REQ_CHALLENGE and REQ_LOGOUT packets respectively.
packets
Step 4 Verify relevant switch configuration. If the switch communicates with the Portal server through a VPN instance, check whether the VPN instance is bound to the Portal server template. If not, bind the VPN instance XX to the Portal server template and test the Portal authentication again. The authentication succeeds.
#
web-auth-server huawei
server-ip 172.16.2.146
port 50200
shared-key cipher %@%@1s9zQui#nH`s%U47Ce~–%rA%@%@
url http://172.16.2.146:8080/portal
vpn-instance XX
#
Root Cause
Account authentication and authorization fail because the configuration of the Portal server authorization template is incorrect.
The switch fails to respond to the server’s Portal packets because no VPN instance is bound to the Portal server template.
Suggestions
Portal packet exchange process is as follows:
Portal packet exchange process
1. A Portal user initiates an authentication request using the HTTP protocol. The access device allows the HTTP packet destined for the Portal server or a preset free-of-charge website to pass through. The access device redirects the HTTP packet destined for other addresses to the Portal server. The Portal server pushes a web page for the user to enter the user name and password for authentication.
2. The Portal server exchanges information with the access device to implement CHAP authentication. If PAP is adopted, this step is omitted.
3. The Portal server assembles the user name and password entered by the user into an authentication request packet, sends the packet to the access device, and starts a timer to wait for an authentication reply packet.
4. The access device exchanges a RADIUS protocol packet with the RADIUS server.
5. The access device sends an authentication reply packet to the Portal server.
6. The Portal server sends an authentication success packet to the client to inform that the client authentication succeeds.
7. The Portal server sends an authentication reply acknowledgment packet to the access device.
8. The client exchanges security information with the Policy Center server. The Policy Center server checks whether antivirus software and unauthorized software are installed and whether the virus library and operating system patches are updated to verify the security of the access terminal.
9. The Policy Center server allows the user to access authorized resources based on the user security. The access device uses the authorization information that is stored in the device to control user access.
Note: Steps 8 and 9 describe the extended Portal authentication function.
Comments are closed