1. Issue Description A portal page pop-up exception occurs in Ruijie WLAN web authentication scenarios. 2. Possible Cause Analysis
3.1 Incorrect AP/AC Configuration The following example describes the key configurations (including authentication and portal parameters) for the AP external portal (Aruba ClearPass). Configuring External Portal Web Authentication Parameters (1) Configure the RADIUS authentication server. AC(config)# radius-server host 172.29.25.130 key Ruijie@123 (2) Configure the AAA method list. AC(config)# aaa new-model AC(config)# aaa group server radiusaruba_radius AC(config-gs-radius)# server 172.29.25.130 AC(config-gs-radius)# exit AC(config)# aaa authentication cpweb arubagroup aruba_radius AC(config)# aaa accounting network arubastart-stop group aruba_radius AC(config)# aaa authentication dot1x arubagroup aruba_radius (3) Configure HTTP service parameters (required only for ClearPass). AC(config)# web-auth auth-server ip 1.1.1.1 AC(config)# web-auth auth-server http AC(config)# web-auth auth-server submit-url http://1.1.1.1:8082/login *Note In this step, the IP address “1.1.1.1” is configured as the HTTP service IP for the access device, which is used for redirecting authentication messages during the authentication process. It cannot be set to theauthentication-free IP address of the access device. To ensure network security, you are not advised to set it to the real IP address of the access device, but should set it to a virtual IP address. (4) Configure the web authentication template used to interwork with the Aruba Clear Pass server. AC(config)# web-auth template cpweb AC(config.tmplt.cpweb)# ip 172.29.25.130 AC(config.tmplt.cpweb)# url http://172.29.25.130/guest/web_login.php AC(config.tmplt.cpweb)# exit *Caution The web authentication template configured on the access device is “cpweb”,which is specifically used for integrating with the Aruba ClearPass server. The web_login keyword in the URLof the cpweb authentication template must be the same as the Page name in ClearPass. Otherwise, the wireless client cannot obtain the webauthentication login page. Configuring External Portal Web Authentication AC(config)# wlansec 1000 AC(config-wlansec)# dot1x-mab AC(config-wlansec)# dot1x authentication aruba AC(config-wlansec)# dot1x accounting aruba AC(config-wlansec)# web-auth accounting cpwebaruba AC(config-wlansec)# web-auth authenticationcpweb aruba AC(config-wlansec)# web-auth portal cpweb AC(config-wlansec)# webauth AC(config-wlansec)# exit AC(config)# exit *Note The following three commands are used toconfigure MAC address-based authentication. dot1x-mab dot1x authentication aruba dot1x accounting aruba 3.2 Wireless Client Association Failures • Check if a client can connect to the wireless network (for the web authentication scenario, configure the SSID as Open). Youare advised to enable term m on the AP. When the client connects, check the print information on the device to see if the connection fails during the wireless association phase. • Check if the client obtains an IP address. Before web authentication, the client needs to obtain an IP address. If the client does not obtain an IP address, check whether the DHCP server and VLAN configurations between the DHCP server and client are correct. 3.3 Portal Server Redirection Failures Identification methods: In the external portal scenario, the Ruijie AP or AC functions as the NAS device to intercept traffic, identify client HTTP and HTTPS traffic, trigger redirection, and construct redirection URLs. The authentication process varies depending on the interconnected external portal servers. The following figure takes Ruijie ePortal V2 as an example. Note: The widely used web authentication solution in China is Portal authentication from China Mobile. The authentication process differs from that of ClearPass. Totroubleshoot web page pop-up exceptions, first determine if the portal page popsup. 1. If the URL in the browser on the PC automatically redirects to the portal server’s URL, it indicates that the Ruijie AP or AC redirection is functioning correctly. 2. On mobile devices, if you test through a browser, you can also check for URL redirection. If there is no redirection, you need to capture packets or collect debug information from the Ruijie AP/AC to investigate. Run the debug command on the Ruijie AP or AC and collect debugging information.
Possible Causes of Redirection Failures DNS resolution issues can prevent the client from generating HTTP/HTTPS traffic, leading to a failure in triggering redirection. You can use ping to test the domain and check if it resolves to an IP address, or capture packets on the client (PC) to analyze whether the DNS responses for the domain requests are correct. If the resolution is abnormal, check the connectivity between the client and the DNS server. The traffic from the terminal is HTTPS and noHTTPS redirection is configured. To trigger redirection for HTTPS traffic, run the following command: http redirect port 443 3.4 Client Wireless Network Exceptions • If the network between the client and theportal server is abnormal, and the environment is still in the deployment phase(with no formal business operations underway), try bypassing web authentication and accessing the portal server address directly in the browser. If access fails, check the network or portal server. 3.5 Portal Page Pop-Up Blocked by the Client Enter an IP address like 4.4.4.4 to see if the authentication page appears. If it does, the issue might be with the client. In this case, try replacing the client and test again. If the page does not appear, run the debug web-auth httprd command to check for redirection logs. If logs aregenerated, try replacing the client and test again. 3.6 Special Requirements of the Portal Server on the Format of the Redirected URL The portal page pops up (indicating correct redirection), but an error occurs when trying to access the URL. This may be because the portal server has special requirements on the format of the URL accessed by a client after redirection. You need to customize the URL format accordingly. Configuration example: Configure redirection URL parameters including the IP address, MAC address, NAS IPaddress, SSID, and URL in cleartext. Hostname(config.tmplt.eportalv2)#fmt custom encry none user-ip userip user-mac usermac mac-format none nas-ip nasip ssid ssid url firsturl |
This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.
More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.
©2000-2023 Ruijie Networks Co,Ltd