Professional Documents
Culture Documents
OHCSCP1307 Portal Authentication ISSUE 3.0
OHCSCP1307 Portal Authentication ISSUE 3.0
www.huawei.com
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 4
Contents
1. Portal Authentication Principles
2. Portal Authentication Configuration and Deployment
3. Portal Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 5
Portal Authentication Introduction
Portal authentication is also called web authentication. Generall
y, Portal authentication websites are called Portal websites. Bef
ore a user can access the Internet, the user must be authenticate
d on the portal website. That is, only authenticated users can ac
cess network resources. Portal server
Access device
Terminal RADIUS
server
Authentication
server
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 6
Portal Authentication Scenario
Portal authentication application scenario
Portal authentication requires no client and is easy to deploy
. It is widely used on campus networks.
If users deploy security management components, clients need t
o be installed. In this case, client-based Portal authenticati
on can be used.
Portal server
Access device
Terminal AP RADIUS server
Enterprise resources
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 8
Portal Authentication Mode
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 9
Users Log In Through Portal Authen
tication (Web)
Client (web) Portal server Authentication control device RADIUS server
1 Initiate an HTTP request
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 10
Users Actively Log Out Through Por
tal Authentication (Web)
1 Send a deregistration
authentication request
2 Send a logout
notification
3 Send an accounting stop
request
3 Send a logout response
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 12
Contents
1. Portal Authentication Principles
2. Portal Authentication Configuration and Deployment
Wired Portal Authentication Configuration and Deploymen
t
Wireless Portal Authentication Configuration and Deploy
ment
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 14
Portal Authentication Application
Scenario
Portal authentication: Users can enter the user names and passwor
ds on the web authentication pages for identity authentication.
Portal authentication
application scenario
Guest access
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 15
Wired Portal Authentication
A company needs to deploy an authentication system to implement access co
ntrol on employees who attempt to access the company's network. Only auth
enticated users can access the company's network. All employees' accounts
Core switch
are maintained on the AD server. Pre-authentication domain
Campus egress S7700
G1/0/2
G0/0/1
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 16
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Portal authentication
configuration
Agile Controller-Campus
authentication configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 17
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the access switch.
Configure the aggregation switch.
Configure the VLAN and IP address.
Configure the gateway IP address, and enable DHCP.
Configure a static route to the network segment where the authenti
cation server resides.
Configure the core switch.
Configure the VLAN and IP address.
Configure a static route to the network segment where terminals re
side.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 18
Set RADIUS Parameters on the Aggre
gation Switch
Configure a RADIUS server template, an authentication scheme, and
an accounting scheme.
[S5700] radius-server template radius_template
[S5700-radius-radius_template] radius-server authentication
192.168.11.10 1812 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 192.168.100.100
[S5700-radius-radius_template] radius-server shared-key cipher
Admin@123
[S5700] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[S5700] aaa
[S5700-aaa] authentication-scheme auth_scheme //Authentication scheme.
[S5700-aaa-authen-auth_scheme] authentication-mode radius
[S5700-aaa] accounting-scheme acco_scheme //Accounting scheme.
[S5700-aaa-accounting-acco_scheme] accounting-mode radius
[S5700-aaa-accounting-acco_scheme] accounting realtime 15
[S5700-aaa] domain default.
[S5700-aaa-domain-default] authentication-scheme auth_scheme
[S5700-aaa-domain-default] accounting-scheme acco_scheme
[S5700-aaa-domain-default] radius-server radius_template
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 21
Set Portal Server Connection Param
eters on the Aggregation Switch
Set Portal server connection parameters.
[S5700] web-auth-server portal_huawei
[S5700-web-auth-server-portal_huawei] server-ip 192.168.11.10
[S5700-web-auth-server-portal_huawei] source-ip 192.168.100.100
[S5700-web-auth-server-portal_huawei] port 50200
[S5700-web-auth-server-portal_huawei] shared-key cipher Admin@123
[S5700-web-auth-server-portal_huawei] url
http://access.example.com:8080/portal
[S5700-web-auth-server-portal_huawei] server-detect interval 100 max-
times 5 critical-num 1 action log
[S5700-web-auth-server-portal_huawei] user-sync interval 100 max-
times 5
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 22
Configure the Agile Controller-Cam
pus - Add Devices
Choose Resource > Device > Device Management, and click Ad
d. Set switch parameters.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 25
Configure the Agile Controller-Campus -
Configure Authentication and Authorizat
ion
Choose Policy > Permission Control > Authentication & Authorization > Aut
hentication Rule, and modify the default authentication rule or create au
thentication rules.
Choose Policy > Permission Control > Authentication & Authorization > Aut
horization Result, and add authorization ACLs.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 26
Configure the Agile Controller-Cam
pus - Bind Authorization Results
Choose Policy > Permission Control > Authentication & Authorizati
on > Authorization Rule, and bind the authorization results to sp
ecify the resources accessible to users after successful authenti
cation.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 27
Verify the Result
An end user can access only the Agile Controller-Campus, DNS, and AD serv
ers before authentication.
The end user is redirected to the Portal authentication page when attempt
ing to access the Internet. After the user enters the correct account and
password, the requested web page is displayed.
The end user can access the Internet only after the authentication succee
ds.
After the end user is successfully authenticated, run the display access-
user command on the switch to view the online information about the termi
nal.
On the Service Manager (SM), choose Resource > User > Online User Managem
ent to view the online information about the end user.
On the SM, choose Resource > User > RADIUS Log to view the RADIUS authent
ication logs of the end user.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 28
Contents
1. Portal Authentication Principles
2. Portal Authentication Configuration and Deployment
Wired Portal Authentication Configuration and Deploymen
t
Wireless Portal Authentication Configuration and Deploy
ment
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 29
Wireless Portal Authentication
A company (with about 1000 employees) needs to deploy an authentication s
ystem to implement access control on the employees who attempt to access
the company's network. Only authenticated users can access the company's
Firewall Core router Pre-authentication domain
network.
AP0 AP1
Employee VLAN100 Guest VLAN101
172.20.0.0/16 172.21.0.0/16
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 30
Configuration Procedure
Configuration procedure
Configuration planning
Basic configuration
Agile Controller-Campus
authentication configuration
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 31
Configure Basic Data for Network C
onnectivity
Configure basic data for network connectivity.
Configure the VLAN and IP address on the access switch.
Configure the VLAN and IP address on the aggregation switch.
Configure the AC.
Configure the VLAN and IP address.
Configure the AC to assign IP addresses from an interface address
pool to APs.
Configure a default route that the AC uses to communicate with the
servers. Packets are forwarded to the core router by default.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 32
Set RADIUS Parameters on the AC
Configure a RADIUS server template, an authentication scheme, and
an accounting scheme.
[AC] radius-server template radius_template
[AC-radius-radius_template] radius-server authentication 192.168.11.10
1812 source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server accounting 192.168.11.10
1813 source ip-address 10.10.10.254
[AC-radius-radius_template] radius-server shared-key cipher Admin@123
[AC-radius-radius_template] radius-server user-name original
//Configure the device to send the user names entered by users to the
RADIUS server.
[AC] radius-server authorization 192.168.11.10 shared-key cipher
Admin@123
[AC] aaa
[AC-aaa] authentication-scheme auth_scheme //Authentication scheme.
[AC-aaa-authen-auth_scheme] authentication-mode radius //Set the
authentication scheme to RADIUS.
[AC-aaa] accounting-scheme acco_scheme //Accounting scheme.
[AC-aaa-accounting-acco_scheme] accounting-mode radius //Set the
accounting scheme to RADIUS.
[AC-aaa-accounting-acco_scheme] accounting realtime 15
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 34
Configure the Portal Server on the AC
(1/6)
Configure the URL of the Portal authentication page. When a user
attempts to access the network before authentication, the AC redi
rects the user to the Portal server.
[AC] url-template name huawei
[AC-url-template-huawei] url http://access.example.com:8080/portal
//Replace access.example.com with the host name of the Portal
server.
Set parameters carried in the URL, which must be the same as thos
e on the authentication server.
[AC-url-template-huawei] url-parameter ssid ssid redirect-url url
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 36
Configure the Portal Server on the AC
(3/6)
Create Portal access profiles for employees and guests respective
ly, and bind the Portal server template to them.
[AC] portal-access-profile name acc_portal_employee
//Create a Portal access profile for employees.
[AC-portal-access-profile-acc_portal_employee] web-auth-server
portal_huawei direct
//If the Layer 2 networking mode is used between the AC and
terminals, set the authentication mode to direct; if the Layer 3
networking mode is used, set the authentication mode to layer3.
[AC] portal-access-profile name acc_portal_guest
//Create a Portal access profile for guests.
[AC-portal-access-profile-acc_portal_guest] web-auth-server
portal_huawei direct
Create a MAC access profile so that MAC address-prioritized Porta
l authentication can be performed on employees.
[AC] mac-access-profile name acc_mac
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 37
Configure the Portal Server on the AC
(4/6)
Configure pre-authentication and post-authentication access rules
for employees and guests.
[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255
//Configure Portal authentication-free rules to allow users to connect to the DNS
server before authentication.
[AC-free-rule-default_free_rule] free-rule 2 destination ip 192.168.11.100 mask
255.255.255.255
//Configure Portal authentication-free rules to allow users to connect to the AD
server before authentication.
[AC-free-rule-default_free_rule] free-rule 3 destination ip 192.168.11.2 mask
255.255.255.255
//Configure Portal authentication-free rules to allow users to connect to the
DHCP server before authentication.
[AC] acl 3001 //Configure the post-authentication domain for employees to allow
them to access both the intranet and Internet.
[AC-acl-adv-3001] rule 5 permit ip
[AC] acl 3002 //Configure the post-authentication domain for guests to allow them
to access only the Internet.
[AC-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255 //The
IP address 192.168.11.200 is the service system's IP address and cannot be
accessed by guests.
[AC-acl-adv-3002] rule 10 permit ip
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 38
Configure the Portal Server on the AC
(5/6)
Configure the Portal escape function. Configure the device to grant netwo
rk access rights of a user group to users when the Portal server is Down
so that the users can access the post-authentication domain. In addition,
configure the device to re-authenticate users when the Portal server goes
[AC] user-group group1
Up.
[AC-user-group-group1] acl 3001 // Employees' post-authentication domain corresponding to
group1.
[AC] portal-access-profile name acc_portal_employee
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-down
action authorize user-group group1
// Configure employees' network access rights to be effective when the Portal server is
Down.
[AC-portal-access-profile-acc_portal_employee] authentication event portal-server-up
action re-authen
//Enable the device to re-authenticate users when the Portal server state changes from
Down to Up.
[AC] user-group group2
[AC-user-group-group2] acl 3002 //Guests' post-authentication domain corresponding to
group1.
[AC] portal-access-profile name acc_portal_guest
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-down
action authorize user-group group2
//Configure guests' network access rights to be effective when the Portal server is Down.
[AC-portal-access-profile-acc_portal_guest] authentication event portal-server-up action
re-authen
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 39
Configure the Portal Server on the AC
(6/6)
Configure different authentication profiles for employees and guests resp
ectively because MAC address-prioritized Portal authentication needs to b
e enabled for employees.
[AC] authentication-profile name auth_portal_employee
[AC-authentication-profile-auth_portal_employee] mac-access-profile acc_mac
//Enable MAC address-prioritized authentication for employees.
[AC-authentication-profile-auth_portal_employee] portal-access-profile
acc_portal_employee
[AC-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme
[AC-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme
[AC-authentication-profile-auth_portal_employee] radius-server radius_template
[AC-authentication-profile-auth_portal_employee] free-rule-template default_free_rule
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 40
Configure APs to Go Online (1/2)
Create employees' and guests' AP groups to which APs with the sam
e configuration can be added.
[AC] wlan
[AC-wlan-view] ap-group name employee //Configure an AP group for
employees.
[AC-wlan-view] ap-group name guest //Configure an AP group for
guests.
Create a regulatory domain profile, configure the AC country code
in the profile, and apply the profile to the AP groups.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulatory-domain-prof-domain1] country-code cn
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-view] ap-group name guest
[AC-wlan-ap-group-guest] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain
configurations of the radio and reset the AP. Continue?[Y/N]:y
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 41
Configure APs to Go Online (2/2)
Configure the AC's source interface.
[AC] capwap source interface vlanif 10
Import the APs offline on the AC and add the APs to the correspon
ding AP groups.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 60de-4476-e360
[AC-wlan-ap-0] ap-name ap_0
[AC-wlan-ap-0] ap-group employee
Warning: This operation may cause AP reset. If the country code
changes, it will clear channel, power and antenna gain configurations
of the radio, Whether to continue? [Y/N]:y
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 42
Set Service Parameters on the AC
(1/3)
Create a security profile and configure the security policy in th
e[AC] wlan
profile.
[AC-wlan-view] security-profile name security_portal
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 43
Set Service Parameters on the AC
(2/3)
Create VAP profiles, configure the service data forwarding modes
and service VLANs, and apply the security, SSID, and authenticati
on profiles to the VAP profiles.
[AC-wlan-view] vap-profile name wlan-vap-employee
[AC-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC-wlan-vap-prof-wlan-vap-employee] authentication-profile
auth_portal_employee //Bind the authentication profile of employees.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 44
Set Service Parameters on the AC
(3/3)
Apply the VAP profiles to radio 0 and radio 1 of the corre
sponding APs.
[AC-wlan-view] ap-group name employee
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1
radio 0
[AC-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1
radio 1
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 45
Configure the Agile Controller-Cam
pus - Add Devices
Choose Resource > Device > Device Management, and click Add. Set
AC parameters.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 46
Configure the Agile Controller-Cam
pus - Add SSIDs
Choose Policy > Permission Control > Policy Element > SSID, and c
lick Add. Add SSIDs for employees and guests.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 47
Agile Controller-Campus Configurat
ion - Configure Authentication Rul
esChoose Policy > Permission Control > Authentication & Authorization > Aut
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 48
Configure the Agile Controller-Cam
pus - Configure Authorization Resu
lts
Choose Policy > Permission Control > Authentication and Authoriza
tion > Authorization Result, and add authorization ACLs for emplo
yees and guests respectively.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 49
Configure the Agile Controller-Cam
pus - Configure Authorization Rule
s Choose Policy > Permission Control > Authentication & Authorizati
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 50
Configure the Agile Controller-Cam
pus - Customize Portal Pages to Be
Pushed
Choose Policy > Permission Control > Page Customization > Page Cu
stomization, and configure basic information about the page to be
pushed to employees.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 51
Enable MAC Address-Prioritized Por
tal Authentication
Choose System > Terminal Configuration > Global Parameters. On th
e MAC Address-prioritized Portal Authentication tab page, enable
MAC Address-prioritized Portal Authentication.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 53
Verify the Result
Verification
Expected Result
Item
• An employee can only access the Agile Controller-Campus server, DNS server, AD server, and DHCP server before authentication.
• If the employee connects to the Wi-Fi hotspot employee using a computer and attempts to access the Internet or service system, the
employee is redirected to the authentication page. After the employee enters the correct user name and password, the authentication
succeeds and the requested web page is displayed automatically.
Employee
• After being successfully authenticated, the employee can access the Internet and service system.
authentication
• After the authentication succeeds, run the display access-user command on the AC to view the online information about the
employee.
• On the SM, choose Resource > User > Online User Management to view the online information about the employee.
• On the SM, choose Resource > User > RADIUS Log to view the RADIUS logs of the employee.
• A guest can only access the Agile Controller-Campus server, DNS server, and DHCP server before authentication.
• If the guest connects to the Wi-Fi hotspot guest using a mobile phone and attempts to access the Internet, the guest is redirected to
the guest authentication page for mobile phones. After the guest enters the correct user name and password, the authentication
succeeds and the requested web page is displayed automatically.
• If the guest connects to the Wi-Fi hotspot guest using a PC or a pad and attempts to access the Internet, the guest is redirected to the
Guest guest authentication page for PCs or pads. After the guest enters the correct user name and password, the authentication succeeds
authentication and the requested web page is displayed automatically.
• If the guest quickly registers an account using a mobile phone number, the guest can access the Internet but not the service system
after the authentication succeeds.
• After the authentication succeeds, run the display access-user command on the AC to view the online information about the guest.
• On the SM, choose Resource > User > Online User Management to view the online information about the guest.
• On the SM, choose Resource > User > RADIUS Log to view the RADIUS logs of the guest.
Employees' When an employee reconnects to the wireless network, the authentication is complete automatically. The employee can access the
reconnection to Internet without entering the user name and password.
a wireless
When an employee attempts to access the Internet, the employee is redirected to the employee authentication page. After the
network
employee enters the user name and password and passes the authentication, the requested web page is displayed automatically.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 54
Contents
1. Portal Authentication Principles
2. Portal Authentication Configuration and Deployment
3. Portal Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 55
Portal Access Fault
To locate and rectify the Portal access fault, perform operations
Start
according to the following flowchart.
Access http://SC-IP:8080/portal on a terminal
Failure Success
Ping the terminal's IP Access the post-authentication
address on the SC domain on the terminal
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 56
Check Whether the Terminal Can Acc
ess the Portal Authentication URL
Enable Wi-Fi on the terminal.
Open the built-in browser of the operating system and attempt to
access http://SC-IP:8080/portal.
If the terminal cannot access http://SC-IP:8080/portal, check whether
the SC can normally communicate with the terminal.
If the terminal can access http://SC-IP:8080/portal, perform the foll
owing check operations in sequence:
Check whether the Portal authentication port on the switch or AC is consist
ent with that on the Agile Controller-Campus.
Check whether the communication between the terminal and SC is blocked by t
he firewall.
Check whether the proxy server of the browser is started.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 57
Check Whether the SC Can Normally
Communicate with the Terminal
Obtain the IP address of the terminal.
On the SC, test the network connectivity to the terminal.
Run the ping command to check whether the network connection b
etween the SC and terminal is normal. If a fault occurs on the
network connection, perform the following steps to rectify the
fault:
Check the network connection, such as the gateway configuration an
d routing information.
If a firewall is deployed between the SC and access control device
, permit the port used for communication between the SC and access
control device.
Disable the Windows built-in firewall on the SC.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 58
Check Whether the SC Can Access th
e Portal Authentication URL
Log in to the operating system where the SC is installed.
Open the Internet Explorer browser and attempt to access h
ttp://SC-IP:8080/portal.
If the Internet Explorer browser cannot access http://SC-IP:80
80/portal, check whether the SC is started.
If the Internet Explorer browser can access http://SC-IP:8080/
portal, the fault may be caused by incorrect configuration or
network error.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 59
Check Whether the SC Is Started No
rmally
On the hardware server where the SC is installed, choose Start > All Prog
rams > Huawei > Agile Controller > Server Startup Config, click the SC Mo
nitor tab, and check whether AuthServer, RadiusServer, and PortalServer a
re in Running state.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 61
Check the Portal Configuration of
the Access Control Device
Check whether the URL of the SC is configured in the domain name
format on the AC or switch.
<AC> display web-auth-server configuration
Check the URL of the SC next to the URL field in the command outp
ut.
Ensure that the URL of the Portal authentication page is not in any o
f the following formats:
http://SC:8084/auth
http://SC:8084/newauth
http://SC:8080/auth
http://SC:8080/newauth
The correct URL formats of the Portal authentication page are as foll
ows:
http://SC IP address:8080/portal
http://SC
Copyright © 2017 domain name:8080/portal
Huawei Technologies Co., Ltd. All rights reserved. Page 62
Check Whether the Authentication Page Is Di
splayed When the Terminal Attempts to Acces
s Any Link
Use a terminal to access http://www.example.com (or another HTTP
address with a domain name).
Check whether the Portal authentication page is displayed on the
terminal.
If the Portal authentication page is displayed, the access control de
vice can normally push the Portal authentication page.
If the Portal authentication page is not displayed, the DNS server fa
ils or is not deployed in the pre-authentication domain.
Cause 1: The DNS server is not deployed in the pre-authentication domain. T
o rectify the fault, run the portal free-rule command on the AC or switch t
o permit access to the DNS server.
Cause 2: The DNS server fails. To rectify the fault, permit access from all
network segments to the pre-authentication domain.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 63
Check Whether DNS Is Configured on
the Terminal
If the terminal obtains an IP address using DHCP, DNS is configured autom
atically. If the terminal accesses the network using a static IP address,
you need to configure DNS manually.
For example, in Windows 7, select Internet Protocol Version 4 (TCP/IPv4),
click Properties, and set Preferred DNS server and Alternate DNS server,
as shown in the following figure.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 64
Quiz
1. Which of the following are Portal authentication modes? (
)
A. Layer 2 authentication
B. Layer 3 authentication
C. Agent authentication
D. Web agent authentication
Copyright SACGHuawei
D. © 2017 authentication
Technologies Co., Ltd. All rights reserved. Page 65
Summary
Portal Authentication Principles
Portal Authentication Configuration and Deployment
Wired Portal Authentication Configuration and Deployment
Wireless Portal Authentication Configuration and Deployment
Portal Authentication Troubleshooting
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 66
Thank You
www.huawei.com