How to do if portal page doesn't pop up when doing Ruijie WLAN web authentication?

1. Issue Description
A portal page pop-up exception occurs in Ruijie WLAN web authentication scenarios.

2. Possible Cause Analysis

• Incorrect AP/AC configuration
• Client wireless association failures
• Portal server redirection failures
• Client wireless network exceptions
• Portal page pop-up blocked by the client
• Special requirements of the portal server onthe format of the redirected URL
  

3. Troubleshooting
3.1 Incorrect AP/AC Configuration

The following example describes the key configurations (including authentication and portal parameters) for the AP external portal (Aruba ClearPass).
Configuring External Portal Web Authentication Parameters

(1) Configure the RADIUS authentication server.
AC(config)# radius-server host 172.29.25.130 key Ruijie@123

(2) Configure the AAA method list.
AC(config)# aaa new-model
AC(config)# aaa group server radiusaruba_radius
AC(config-gs-radius)# server 172.29.25.130
AC(config-gs-radius)# exit
AC(config)# aaa authentication cpweb arubagroup aruba_radius
AC(config)# aaa accounting network arubastart-stop group aruba_radius
AC(config)# aaa authentication dot1x arubagroup aruba_radius

(3) Configure HTTP service parameters (required only for ClearPass).
AC(config)# web-auth auth-server ip 1.1.1.1
AC(config)# web-auth auth-server http
AC(config)# web-auth auth-server submit-url http://1.1.1.1:8082/login

*Note
In this step, the IP address “1.1.1.1” is configured as the HTTP service IP for the access device, which is used for redirecting authentication messages during the authentication process.
It cannot be set to theauthentication-free IP address of the access device. To ensure network security, you are not advised to set it to the real IP address of the access device, but should set it to a virtual IP address.

(4) Configure the web authentication template used to interwork with the Aruba Clear Pass server.
AC(config)# web-auth template cpweb
AC(config.tmplt.cpweb)# ip 172.29.25.130
AC(config.tmplt.cpweb)# url http://172.29.25.130/guest/web_login.php
AC(config.tmplt.cpweb)# exit

*Caution
The web authentication template configured on the access device is “cpweb”,which is specifically used for integrating with the Aruba ClearPass server.
The web_login keyword in the URLof the cpweb authentication template must be the same as the Page name in ClearPass. Otherwise, the wireless client cannot obtain the webauthentication login page.
Configuring External Portal Web Authentication
AC(config)# wlansec 1000
AC(config-wlansec)# dot1x-mab
AC(config-wlansec)# dot1x authentication aruba
AC(config-wlansec)# dot1x accounting aruba
AC(config-wlansec)# web-auth accounting cpwebaruba
AC(config-wlansec)# web-auth authenticationcpweb aruba
AC(config-wlansec)# web-auth portal cpweb
AC(config-wlansec)# webauth
AC(config-wlansec)# exit
AC(config)# exit
*Note

The following three commands are used toconfigure MAC address-based authentication.

dot1x-mab

dot1x authentication aruba

dot1x accounting aruba

3.2 Wireless Client Association Failures

• Check if a client can connect to the wireless network (for the web authentication scenario, configure the SSID as Open). Youare advised to enable term m on the AP. When the client connects, check the print information on the device to see if the connection fails during the wireless association phase.
• Check if the client obtains an IP address. Before web authentication, the client needs to obtain an IP address. If the client does not obtain an IP address, check whether the DHCP server and VLAN configurations between the DHCP server and client are correct.
3.3 Portal Server Redirection Failures

Identification methods:
In the external portal scenario, the Ruijie AP or AC functions as the NAS device to intercept traffic, identify client HTTP and HTTPS traffic, trigger redirection, and construct redirection URLs. The authentication process varies depending on the interconnected external portal servers. The following figure takes Ruijie ePortal V2 as an example.
Note: The widely used web authentication solution in China is Portal authentication from China Mobile. The authentication process differs from that of ClearPass.


Totroubleshoot web page pop-up exceptions, first determine if the portal page popsup.
1. If the URL in the browser on the PC automatically redirects to the portal server’s URL, it indicates that the Ruijie AP or AC redirection is functioning correctly.
2. On mobile devices, if you test through a browser, you can also check for URL redirection. If there is no redirection, you need to capture packets or collect debug information from the Ruijie AP/AC to investigate.
Run the debug command on the Ruijie AP or AC and collect debugging information.

SQL Term m Ter le 0 debug web-auth log-limit 1000 debug web-auth httprd

In the following log example, 1 indicates the HTTP URL intercepted by the Ruijie AP or AC, and 2 indicates the constructed redirection URL.

Possible Causes of Redirection Failures
DNS resolution issues can prevent the client from generating HTTP/HTTPS traffic, leading to a failure in triggering redirection.
You can use ping to test the domain and check if it resolves to an IP address, or capture packets on the client (PC) to analyze whether the DNS responses for the domain requests are correct. If the resolution is abnormal, check the connectivity between the client and the DNS server.
The traffic from the terminal is HTTPS and noHTTPS redirection is configured.
To trigger redirection for HTTPS traffic, run the following command:
http redirect port 443
3.4 Client Wireless Network Exceptions

• If the network between the client and theportal server is abnormal, and the environment is still in the deployment phase(with no formal business operations underway), try bypassing web authentication and accessing the portal server address directly in the browser. If access fails, check the network or portal server.
3.5 Portal Page Pop-Up Blocked by the Client

Enter an IP address like 4.4.4.4 to see if the authentication page appears. If it does, the issue might be with the client. In this case, try replacing the client and test again. If the page does not appear, run the debug web-auth httprd command to check for redirection logs. If logs aregenerated, try replacing the client and test again.
3.6 Special Requirements of the Portal Server on the Format of the Redirected URL
The portal page pops up (indicating correct redirection), but an error occurs when trying to access the URL.
This may be because the portal server has special requirements on the format of the URL accessed by a client after redirection. You need to customize the URL format accordingly.
Configuration example:
Configure redirection URL parameters including the IP address, MAC address, NAS IPaddress, SSID, and URL in cleartext.
Hostname(config.tmplt.eportalv2)#fmt custom encry none user-ip userip user-mac usermac mac-format  none nas-ip nasip ssid ssid url firsturl