OHCSCP1307 Portal Authentication ISSUE 3.0

Portal Authentication
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Foreword
 Portal authentication can meet the requirements of ne
twork access in public places such as hotels without
requiring any client software. In addition, based on
portal websites, users can develop advertisement and
community services and personalized businesses, which
helps carriers, device providers, and content provide
rs form an industrial ecosystem.
 This chapter describes Portal authentication applicat
ion scenarios, configuration, deployment, and trouble
shooting.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
Objectives
 Upon completion of this course, you will be able to:
 Know Portal authentication principles and application s
cenarios
 Have a good command of Portal authentication configurat
ion and deployment
 Have a good command of Portal authentication troublesho
oting
Contents
1. Portal Authentication Principles
2. Portal Authentication Configuration and Deployment
3. Portal Authentication Troubleshooting
Portal Authentication Introduction
 Portal authentication is also called web authentication. Generall
y, Portal authentication websites are called Portal websites. Bef
ore a user can access the Internet, the user must be authenticate
d on the portal website. That is, only authenticated users can ac
cess network resources. Portal server
Access device
Terminal RADIUS
server
Authentication
server
Portal Authentication Scenario
 Portal authentication application scenario
 Portal authentication requires no client and is easy to deploy
. It is widely used on campus networks.
 If users deploy security management components, clients need t
o be installed. In this case, client-based Portal authenticati
on can be used.
Portal server
Access device
Terminal AP RADIUS server
Enterprise resources
Portal Authentication Mode
Core device Server Core device

Authentication control
point
Aggregation device as Aggregation device as

Server
the gateway the gateway
Authentication control
point
Access device Access device
Layer 2 authentication Layer 3 authentication
Users Log In Through Portal Authen
tication (Web)
Client (web) Portal server Authentication control device RADIUS server
1 Initiate an HTTP request
2 Redirect the HTTP request

Only involved in CHAP
3 Initiate a Portal authentication authentication
request 4 Send a challenge
request
5 Send a challenge response
6 Send a Portal authentication
request 7 Send a RADIUS
authentication request
8 Send the RADIUS
authentication result
9 Send an accounting request
10 Send the accounting
11 Send the Portal response
authentication result
12 Inform the user of the authentication Enable the user to log in after
result Enable the user to log in after successful authentication
successful authentication
13 Acknowledge the
authentication result Write the terminal's MAC
Enable the user to log in after address to the cache and
successful authentication database
Users Actively Log Out Through Por
tal Authentication (Web)
Client (web) Portal server Authentication control device RADIUS server
A user logs out
1 Send a deregistration
authentication request
2 Send a logout
notification
3 Send an accounting stop
request
3 Send a logout response
Delete the user from

the online user list
4 Send an accounting stop
response
Delete the user from
Delete the user from the online user list
the online user list
Contents
 Wired Portal Authentication Configuration and Deploymen
t
 Wireless Portal Authentication Configuration and Deploy
ment
Portal Authentication Application
Scenario
 Portal authentication: Users can enter the user names and passwor
ds on the web authentication pages for identity authentication.
Portal authentication
application scenario
Guest access
Authentication on web pages Portal authentication facilitates The portal authentication

facilitates management and service operation and expansion, technology is mature and widely
reduces client maintenance such as advertisement pushing used in various scenarios such as
workload. and enterprise publicity. carriers, fast food chains, and
schools.
Wired Portal Authentication
 A company needs to deploy an authentication system to implement access co
ntrol on employees who attempt to access the company's network. Only auth
enticated users can access the company's network. All employees' accounts
Core switch
are maintained on the AD server. Pre-authentication domain
Campus egress S7700
G1/0/2
VLAN 102 G1/0/1 DNS Agile Controller-Campus AD

192.168.100.0/24
G0/0/2 VLAN 200
Aggregation switch 192.168.11.0/24
S5720HI
VLAN 101 G0/0/1

172.16.11.0/24 G0/0/2
Access switch
S2750EI
G0/0/1
Authentication control point
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Portal authentication
configuration
Agile Controller-Campus
authentication configuration
Configure Basic Data for Network C
onnectivity
 Configure basic data for network connectivity.
 Configure the VLAN and IP address on the access switch.
 Configure the aggregation switch.
 Configure the VLAN and IP address.
 Configure the gateway IP address, and enable DHCP.
 Configure a static route to the network segment where the authenti
cation server resides.
 Configure the core switch.
 Configure a static route to the network segment where terminals re
side.
Set RADIUS Parameters on the Aggre
gation Switch
 Configure a RADIUS server template, an authentication scheme, and
an accounting scheme.
[S5700] radius-server template radius_template
[S5700-radius-radius_template] radius-server authentication
192.168.11.10 1812 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server shared-key cipher
Admin@123
[S5700] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[S5700] aaa
[S5700-aaa] authentication-scheme auth_scheme //Authentication scheme.
[S5700-aaa-authen-auth_scheme] authentication-mode radius
[S5700-aaa] accounting-scheme acco_scheme //Accounting scheme.
[S5700-aaa-accounting-acco_scheme] accounting-mode radius
[S5700-aaa-accounting-acco_scheme] accounting realtime 15
[S5700-aaa] domain default.
[S5700-aaa-domain-default] authentication-scheme auth_scheme
[S5700-aaa-domain-default] accounting-scheme acco_scheme
[S5700-aaa-domain-default] radius-server radius_template
Set Portal Server Connection Param
eters on the Aggregation Switch
 Set Portal server connection parameters.
[S5700] web-auth-server portal_huawei
[S5700-web-auth-server-portal_huawei] server-ip 192.168.11.10
[S5700-web-auth-server-portal_huawei] source-ip 192.168.100.100
[S5700-web-auth-server-portal_huawei] port 50200
[S5700-web-auth-server-portal_huawei] shared-key cipher Admin@123
[S5700-web-auth-server-portal_huawei] url
http://access.example.com:8080/portal
[S5700-web-auth-server-portal_huawei] server-detect interval 100 max-
times 5 critical-num 1 action log
[S5700-web-auth-server-portal_huawei] user-sync interval 100 max-
times 5
[S5700] portal quiet-period

[S5700] portal quiet-times 5
[S5700] portal timer quiet-period 240
[S5700] web-auth-server listening-port 2000
[S5700] interface vlanif 101

[S5700-Vlanif101] authentication portal
[S5700-Vlanif101] web-auth-server portal_huawei direct
Configure the Agile Controller-Cam
pus - Add Devices
 Choose Resource > Device > Device Management, and click Ad
d. Set switch parameters.
Configure the Agile Controller-Campus -
Configure Authentication and Authorizat
ion
 Choose Policy > Permission Control > Authentication & Authorization > Aut
hentication Rule, and modify the default authentication rule or create au
thentication rules.
 Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Result, and add authorization ACLs.
pus - Bind Authorization Results
 Choose Policy > Permission Control > Authentication & Authorizati
on > Authorization Rule, and bind the authorization results to sp
ecify the resources accessible to users after successful authenti
cation.
Verify the Result
 An end user can access only the Agile Controller-Campus, DNS, and AD serv
ers before authentication.
 The end user is redirected to the Portal authentication page when attempt
ing to access the Internet. After the user enters the correct account and
password, the requested web page is displayed.
 The end user can access the Internet only after the authentication succee
ds.
 After the end user is successfully authenticated, run the display access-
user command on the switch to view the online information about the termi
nal.
 On the Service Manager (SM), choose Resource > User > Online User Managem
ent to view the online information about the end user.
 On the SM, choose Resource > User > RADIUS Log to view the RADIUS authent
ication logs of the end user.
Contents
 Wired Portal Authentication Configuration and Deploymen
t
 Wireless Portal Authentication Configuration and Deploy
ment
Wireless Portal Authentication
 A company (with about 1000 employees) needs to deploy an authentication s
ystem to implement access control on the employees who attempt to access
the company's network. Only authenticated users can access the company's
Firewall Core router Pre-authentication domain
network.
G1/0/1 Agile Controller- AD DNS DHCP

Aggregation switch Campus
S5720HI G0/0/2
Authentication control G0/0/3
point
G0/0/1
AC 6605 G0/0/1 Post-authentication domain
10.10.10.254/24 VLAN 10 G0/0/2
Access switch
S2750EI
G0/0/3 G0/0/1 Service system
AP0 AP1
Employee VLAN100 Guest VLAN101
172.20.0.0/16 172.21.0.0/16
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Authentication control point

configuration
Agile Controller-Campus
authentication configuration
Configure Basic Data for Network C
onnectivity
 Configure basic data for network connectivity.
 Configure the VLAN and IP address on the access switch.
 Configure the VLAN and IP address on the aggregation switch.
 Configure the AC.
 Configure the AC to assign IP addresses from an interface address
pool to APs.
 Configure a default route that the AC uses to communicate with the
servers. Packets are forwarded to the core router by default.
Set RADIUS Parameters on the AC
 Configure a RADIUS server template, an authentication scheme, and
an accounting scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10
[AC-radius-radius_template] radius-server accounting 192.168.11.10
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original
//Configure the device to send the user names entered by users to the
RADIUS server.
[AC] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the
authentication scheme to RADIUS.
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius //Set the
accounting scheme to RADIUS.
[AC-aaa-accounting-acco_scheme] accounting realtime 15
Configure the Portal Server on the AC
(1/6)
 Configure the URL of the Portal authentication page. When a user
attempts to access the network before authentication, the AC redi
rects the user to the Portal server.
[AC] url-template name huawei
[AC-url-template-huawei] url http://access.example.com:8080/portal
//Replace access.example.com with the host name of the Portal
server.
 Set parameters carried in the URL, which must be the same as thos
e on the authentication server.
[AC-url-template-huawei] url-parameter ssid ssid redirect-url url
 Specify the port number for processing Portal protocol packets. T

he default port number is 2000. If you change the port number on
the AC, set the same port number when you add this AC to the Agil
[AC] web-auth-server listening-port 2000
e Controller-Campus.
(2/6)
 Configure a Portal server template, including the IP address and
port number of the Portal server.
[AC] web-auth-server portal_huawei
[AC-web-auth-server-portal_huawei] server-ip 192.168.11.10
//IP address of the Portal server.
[AC-web-auth-server-portal_huawei] source-ip 10.10.10.254
//IP address that the device uses to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] port 50200
//Set the destination port number in the packets sent to the Portal server to
50200.
 Configure the shared key to be used to communicate with the Porta
l server, which must be the same as that on the Portal server.
[AC-web-auth-server-portal_huawei] shared-key cipher Admin@123
//Configure the shared key to be used to communicate with the Portal server.
[AC-web-auth-server-portal_huawei] url-template huawei
//Bind the URL template to the Portal server template.
[AC-web-auth-server-portal_huawei] server-detect interval 100 max-times 5
critical-num 1 action log //Enable the Portal server detection function.
[AC-web-auth-server-portal_huawei] user-sync interval 100 max-times 5 //Enable
the user information synchronization function.
(3/6)
 Create Portal access profiles for employees and guests respective
ly, and bind the Portal server template to them.
[AC] portal-access-profile name acc_portal_employee
//Create a Portal access profile for employees.
[AC-portal-access-profile-acc_portal_employee] web-auth-server
portal_huawei direct
//If the Layer 2 networking mode is used between the AC and
terminals, set the authentication mode to direct; if the Layer 3
networking mode is used, set the authentication mode to layer3.
[AC] portal-access-profile name acc_portal_guest
//Create a Portal access profile for guests.
[AC-portal-access-profile-acc_portal_guest] web-auth-server
portal_huawei direct
 Create a MAC access profile so that MAC address-prioritized Porta
l authentication can be performed on employees.
[AC] mac-access-profile name acc_mac
(4/6)
 Configure pre-authentication and post-authentication access rules
for employees and guests.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255
//Configure Portal authentication-free rules to allow users to connect to the DNS
server before authentication.
255.255.255.255
//Configure Portal authentication-free rules to allow users to connect to the AD
server before authentication.
255.255.255.255
//Configure Portal authentication-free rules to allow users to connect to the
DHCP server before authentication.
[AC] acl 3001 //Configure the post-authentication domain for employees to allow
them to access both the intranet and Internet.
[AC-acl-adv-3001] rule 5 permit ip
[AC] acl 3002 //Configure the post-authentication domain for guests to allow them
to access only the Internet.
[AC-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255 //The
IP address 192.168.11.200 is the service system's IP address and cannot be
accessed by guests.
[AC-acl-adv-3002] rule 10 permit ip
(5/6)
 Configure the Portal escape function. Configure the device to grant netwo
rk access rights of a user group to users when the Portal server is Down
so that the users can access the post-authentication domain. In addition,
configure the device to re-authenticate users when the Portal server goes
[AC] user-group group1
Up.
[AC-user-group-group1] acl 3001 // Employees' post-authentication domain corresponding to
group1.
[AC] portal-access-profile name acc_portal_employee
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-down
action authorize user-group group1
// Configure employees' network access rights to be effective when the Portal server is
Down.
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-up
action re-authen
//Enable the device to re-authenticate users when the Portal server state changes from
Down to Up.
[AC] user-group group2
[AC-user-group-group2] acl 3002 //Guests' post-authentication domain corresponding to
group1.
[AC] portal-access-profile name acc_portal_guest
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-down
action authorize user-group group2
//Configure guests' network access rights to be effective when the Portal server is Down.
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-up action
re-authen
(6/6)
 Configure different authentication profiles for employees and guests resp
ectively because MAC address-prioritized Portal authentication needs to b
e enabled for employees.
[AC] authentication-profile name auth_portal_employee
[AC-authentication-profile-auth_portal_employee] mac-access-profile acc_mac
//Enable MAC address-prioritized authentication for employees.
[AC-authentication-profile-auth_portal_employee] portal-access-profile
acc_portal_employee
[AC-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme
[AC-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme
[AC-authentication-profile-auth_portal_employee] radius-server radius_template
[AC-authentication-profile-auth_portal_employee] free-rule-template default_free_rule
[AC] authentication-profile name auth_portal_guest

[AC-authentication-profile-auth_portal_guest] portal-access-profile acc_portal_guest
[AC-authentication-profile-auth_portal_guest] authentication-scheme auth_scheme
[AC-authentication-profile-auth_portal_guest] accounting-scheme acco_scheme
[AC-authentication-profile-auth_portal_guest] radius-server radius_template
[AC-authentication-profile-auth_portal_guest] free-rule-template default_free_rule
[AC] dhcp snooping enable

[AC] device-sensor dhcp option 12 55 60
//Enable the terminal type awareness function so that the AC can send the Option field
containing the terminal type information to the authentication server in DHCP packets.
In this way, the authentication server can push the correct Portal authentication pages
to users based on their terminal types.
Configure APs to Go Online (1/2)
 Create employees' and guests' AP groups to which APs with the sam
e configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name employee //Configure an AP group for
employees.
[AC-wlan-view] ap-group name guest //Configure an AP group for
guests.
 Create a regulatory domain profile, configure the AC country code
in the profile, and apply the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
Configure APs to Go Online (2/2)
 Configure the AC's source interface.
[AC] capwap source interface vlanif 10
 Import the APs offline on the AC and add the APs to the correspon
ding AP groups.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name ap_0
[AC-wlan-ap-0] ap-group employee
Warning: This operation may cause AP reset. If the country code
changes, it will clear channel, power and antenna gain configurations
of the radio, Whether to continue? [Y/N]:y
[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380

[AC-wlan-ap-1] ap-name ap_1
[AC-wlan-ap-1] ap-group guest
Warning: This operation may cause AP reset. If the country code
changes, it will clear channel, power and antenna gain configurations
of the radio, Whether to continue? [Y/N]:y
Set Service Parameters on the AC
(1/3)
 Create a security profile and configure the security policy in th
e[AC] wlan
profile.
[AC-wlan-view] security-profile name security_portal
 Create SSID profiles.

[AC-wlan-view] ssid-profile name wlan-ssid-employee
[AC-wlan-ssid-prof-wlan-ssid-employee] ssid employee
Warning: This action may cause service interruption. Continue?
[Y/N]y
[AC-wlan-view] ssid-profile name wlan-ssid-guest

[AC-wlan-ssid-prof-wlan-ssid-guest] ssid guest
Warning: This action may cause service interruption. Continue?
[Y/N]y
(2/3)
 Create VAP profiles, configure the service data forwarding modes
and service VLANs, and apply the security, SSID, and authenticati
on profiles to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap-employee
[AC-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC-wlan-vap-prof-wlan-vap-employee] authentication-profile
auth_portal_employee //Bind the authentication profile of employees.
[AC-wlan-view] vap-profile name wlan-vap-guest

[AC-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC-wlan-vap-prof-wlan-vap-guest] authentication-profile
auth_portal_guest //Bind the authentication profile of guests.
(3/3)
 Apply the VAP profiles to radio 0 and radio 1 of the corre
sponding APs.
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1
radio 0
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1
radio 1
[AC-wlan-view] ap-group name guest

[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
[AC-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
pus - Add Devices
 Choose Resource > Device > Device Management, and click Add. Set
AC parameters.
pus - Add SSIDs
 Choose Policy > Permission Control > Policy Element > SSID, and c
lick Add. Add SSIDs for employees and guests.
Agile Controller-Campus Configurat
ion - Configure Authentication Rul
esChoose Policy > Permission Control > Authentication & Authorization > Aut

hentication Rule, and modify the default authentication rule or create au

thentication rules.
pus - Configure Authorization Resu
lts
Choose Policy > Permission Control > Authentication and Authoriza
tion > Authorization Result, and add authorization ACLs for emplo
yees and guests respectively.
pus - Configure Authorization Rule
s Choose Policy > Permission Control > Authentication & Authorizati

on > Authorization Rule, and bind the authorization results to sp

ecify the resources accessible to employees and guests after succ
essful authentication.
pus - Customize Portal Pages to Be
Pushed
Choose Policy > Permission Control > Page Customization > Page Cu
stomization, and configure basic information about the page to be
pushed to employees.
Enable MAC Address-Prioritized Por
tal Authentication
 Choose System > Terminal Configuration > Global Parameters. On th
e MAC Address-prioritized Portal Authentication tab page, enable
MAC Address-prioritized Portal Authentication.
Verify the Result
Verification
Expected Result
Item
• An employee can only access the Agile Controller-Campus server, DNS server, AD server, and DHCP server before authentication.
• If the employee connects to the Wi-Fi hotspot employee using a computer and attempts to access the Internet or service system, the
employee is redirected to the authentication page. After the employee enters the correct user name and password, the authentication
succeeds and the requested web page is displayed automatically.
Employee
• After being successfully authenticated, the employee can access the Internet and service system.
authentication
• After the authentication succeeds, run the display access-user command on the AC to view the online information about the
employee.
• On the SM, choose Resource > User > Online User Management to view the online information about the employee.
• On the SM, choose Resource > User > RADIUS Log to view the RADIUS logs of the employee.
• A guest can only access the Agile Controller-Campus server, DNS server, and DHCP server before authentication.
• If the guest connects to the Wi-Fi hotspot guest using a mobile phone and attempts to access the Internet, the guest is redirected to
the guest authentication page for mobile phones. After the guest enters the correct user name and password, the authentication
succeeds and the requested web page is displayed automatically.
• If the guest connects to the Wi-Fi hotspot guest using a PC or a pad and attempts to access the Internet, the guest is redirected to the
Guest guest authentication page for PCs or pads. After the guest enters the correct user name and password, the authentication succeeds
authentication and the requested web page is displayed automatically.
• If the guest quickly registers an account using a mobile phone number, the guest can access the Internet but not the service system
after the authentication succeeds.
• After the authentication succeeds, run the display access-user command on the AC to view the online information about the guest.
• On the SM, choose Resource > User > Online User Management to view the online information about the guest.
• On the SM, choose Resource > User > RADIUS Log to view the RADIUS logs of the guest.
Employees' When an employee reconnects to the wireless network, the authentication is complete automatically. The employee can access the
reconnection to Internet without entering the user name and password.
a wireless
When an employee attempts to access the Internet, the employee is redirected to the employee authentication page. After the
network
employee enters the user name and password and passes the authentication, the requested web page is displayed automatically.
Contents
Portal Access Fault
 To locate and rectify the Portal access fault, perform operations
Start
according to the following flowchart.
Access http://SC-IP:8080/portal on a terminal
Failure Success
Ping the terminal's IP Access the post-authentication
address on the SC domain on the terminal
No Is the ping Yes No Yes

Is the correct
operation successful? page displayed?
Access http://SC- Check the Portal Access any address

Check the network IP:8080/ on the terminal
configuration on the
connection between the portal on the SC access device
terminal and SC
No Is the correct Yes Yes Is the correct page
page
displayed?
displayed?
No
Check whether the Check whether the SC
Check the DNS
SC is started configuration is correct
configuration
The fault is rectified
Check Whether the Terminal Can Acc
ess the Portal Authentication URL
 Enable Wi-Fi on the terminal.
 Open the built-in browser of the operating system and attempt to
access http://SC-IP:8080/portal.
 If the terminal cannot access http://SC-IP:8080/portal, check whether
the SC can normally communicate with the terminal.
 If the terminal can access http://SC-IP:8080/portal, perform the foll
owing check operations in sequence:
 Check whether the Portal authentication port on the switch or AC is consist
ent with that on the Agile Controller-Campus.
 Check whether the communication between the terminal and SC is blocked by t
he firewall.
 Check whether the proxy server of the browser is started.
Check Whether the SC Can Normally
Communicate with the Terminal
 Obtain the IP address of the terminal.
 On the SC, test the network connectivity to the terminal.
 Run the ping command to check whether the network connection b
etween the SC and terminal is normal. If a fault occurs on the
network connection, perform the following steps to rectify the
fault:
 Check the network connection, such as the gateway configuration an
d routing information.
 If a firewall is deployed between the SC and access control device
, permit the port used for communication between the SC and access
control device.
 Disable the Windows built-in firewall on the SC.
Check Whether the SC Can Access th
e Portal Authentication URL
 Log in to the operating system where the SC is installed.
 Open the Internet Explorer browser and attempt to access h
ttp://SC-IP:8080/portal.
 If the Internet Explorer browser cannot access http://SC-IP:80
80/portal, check whether the SC is started.
 If the Internet Explorer browser can access http://SC-IP:8080/
portal, the fault may be caused by incorrect configuration or
network error.
Check Whether the SC Is Started No
rmally
 On the hardware server where the SC is installed, choose Start > All Prog
rams > Huawei > Agile Controller > Server Startup Config, click the SC Mo
nitor tab, and check whether AuthServer, RadiusServer, and PortalServer a
re in Running state.
 If they are not in Running state, click Start to start them.

 After starting the SC, open the Internet Explorer browser and access http
://SC-IP:8080/portal again.
Check Whether the Authentication Ports on t
he Access Control Device and Agile Controll
er-Campus Are Consistent
 Huawei devices use port 2000 by default to associate with the Portal serv
er. Port 50200 is recommended as the Portal authentication port on the Ag
ile Controller-Campus.
 The access device configuration is as follows:
<AC> system-view
[AC] web-auth-server huawei
[AC-web-auth-server-huawei] port 50200
 On the Agile Controller-Campus, choose Resource > Device > Device Managem
ent, and check whether the port is consistent with that on the access con
trol device.
Check the Portal Configuration of
the Access Control Device
 Check whether the URL of the SC is configured in the domain name
format on the AC or switch.
<AC> display web-auth-server configuration
 Check the URL of the SC next to the URL field in the command outp
ut.
 Ensure that the URL of the Portal authentication page is not in any o
f the following formats:
 http://SC:8084/auth
 http://SC:8084/newauth
 http://SC:8080/auth
 http://SC:8080/newauth
 The correct URL formats of the Portal authentication page are as foll
ows:
 http://SC IP address:8080/portal
http://SC
Copyright © 2017 domain name:8080/portal
Huawei Technologies Co., Ltd. All rights reserved. Page 62
Check Whether the Authentication Page Is Di
splayed When the Terminal Attempts to Acces
s Any Link
 Use a terminal to access http://www.example.com (or another HTTP
address with a domain name).
 Check whether the Portal authentication page is displayed on the
terminal.
 If the Portal authentication page is displayed, the access control de
vice can normally push the Portal authentication page.
 If the Portal authentication page is not displayed, the DNS server fa
ils or is not deployed in the pre-authentication domain.
 Cause 1: The DNS server is not deployed in the pre-authentication domain. T
o rectify the fault, run the portal free-rule command on the AC or switch t
o permit access to the DNS server.
 Cause 2: The DNS server fails. To rectify the fault, permit access from all
network segments to the pre-authentication domain.
Check Whether DNS Is Configured on
the Terminal
 If the terminal obtains an IP address using DHCP, DNS is configured autom
atically. If the terminal accesses the network using a static IP address,
you need to configure DNS manually.
 For example, in Windows 7, select Internet Protocol Version 4 (TCP/IPv4),
click Properties, and set Preferred DNS server and Alternate DNS server,
as shown in the following figure.
Quiz
1. Which of the following are Portal authentication modes? (
)
A. Layer 2 authentication
B. Layer 3 authentication
C. Agent authentication
D. Web agent authentication
2. In public places such as airports and railway stations, which o

f the following authentication modes is suitable for network ac
cess control? ( )
A. 802.1X authentication
B. MAC address authentication
C. Portal authentication
Copyright SACGHuawei
D. © 2017 authentication
Technologies Co., Ltd. All rights reserved. Page 65
Summary
 Portal Authentication Principles
 Portal Authentication Configuration and Deployment
 Wired Portal Authentication Configuration and Deployment
 Wireless Portal Authentication Configuration and Deployment
 Portal Authentication Troubleshooting
Thank You
www.huawei.com

OHCSCP1307 Portal Authentication ISSUE 3.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OHCSCP1307 Portal Authentication ISSUE 3.0

Uploaded by

Copyright:

Available Formats

Portal Authentication

Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved.

Core device Server Core device

Aggregation device as Aggregation device as

Access device Access device

Layer 2 authentication Layer 3 authentication

2 Redirect the HTTP request

Client (web) Portal server Authentication control device RADIUS server

A user logs out

Delete the user from

3. Portal Authentication Troubleshooting

Authentication on web pages Portal authentication facilitates The portal authentication

VLAN 102 G1/0/1 DNS Agile Controller-Campus AD

VLAN 101 G0/0/1

Authentication control point

[S5700] portal quiet-period

[S5700] interface vlanif 101

3. Portal Authentication Troubleshooting

G1/0/1 Agile Controller- AD DNS DHCP

Authentication control point

 Specify the port number for processing Portal protocol packets. T

[AC] authentication-profile name auth_portal_guest

[AC] dhcp snooping enable

[AC-wlan-view] ap-id 1 ap-mac 60de-4476-e380

 Create SSID profiles.

[AC-wlan-view] ssid-profile name wlan-ssid-guest

[AC-wlan-view] vap-profile name wlan-vap-guest

[AC-wlan-view] ap-group name guest

hentication Rule, and modify the default authentication rule or create au

on > Authorization Rule, and bind the authorization results to sp

No Is the ping Yes No Yes

Access http://SC- Check the Portal Access any address

The fault is rectified

 If they are not in Running state, click Start to start them.

2. In public places such as airports and railway stations, which o

You might also like