我司AC作为接入设备与第三方服务器对接实现无线远程portal认证
用户连无线后可以重定向到认证界面,但是输入用户名和密码后portal认证失败,报如下错误:
1)多次查看dis portal packet statistics,ack auth报文的errors计数不断增长:
[ac]dis portal packet statistics
Portal server : drcom
Invalid packets: 17
Pkt-Type Total Drops Errors
REQ_CHALLENGE 0 0 0
ACK_CHALLENGE 0 0 0
REQ_AUTH 12 0 0
ACK_AUTH 12 0 12
REQ_LOGOUT 5 0 0
ACK_LOGOUT 5 0 5
AFF_ACK_AUTH 0 0 0
NTF_LOGOUT 0 0 0
REQ_INFO 0 0 0
ACK_INFO 0 0 0
[ac]dis portal packet statistics
Portal server : drcom
Invalid packets: 18
Pkt-Type Total Drops Errors
REQ_CHALLENGE 0 0 0
ACK_CHALLENGE 0 0 0
REQ_AUTH 13 0 0
ACK_AUTH 13 0 13
REQ_LOGOUT 5 0 0
ACK_LOGOUT 5 0 5
AFF_ACK_AUTH 0 0 0
NTF_LOGOUT 0 0 0
REQ_INFO 0 0 0
ACK_INFO 0 0 0
2)重点查看ACK_AUTH报文附近的debug portal packet信息,可以看到ack_auth报文的ErrCode为1,即认证失败。查看前一个交互报文req_auth,发现该报文的IP地址为0.0.0.0,一般该报文的IP地址应该是用户的IP地址:
*Aug 1 19:21:05:623 2021 ac PORTAL/7/PACKET:
Portal received 53 bytes of packet: Type=req_auth(3), ErrCode=0, IP=0.0.0.0
*Aug 1 19:21:05:623 2021 ac PORTAL/7/PACKET:
[ 1 USERNAME ] [ 19] [00-00-00-00-00-00]
[ 2 PASSWORD ] [ 18] [******]
*Aug 1 19:21:05:623 2021 ac PORTAL/7/PACKET:
01 03 01 00 9a 7b 00 00 00 00 00 00 00 00 00 02
01 13 30 30 2d 30 30 2d 30 30 2d 30 30 2d 30 30
2d 30 30 02 12 36 31 66 62 61 65 31 63 61 36 38
65 39 36 39 36
*Aug 1 19:21:05:623 2021 ac PORTAL/7/PACKET:
Portal sent 16 bytes of packet: Type=ack_auth(4), ErrCode=1, IP=0.0.0.0
*Aug 1 19:21:05:623 2021 ac PORTAL/7/PACKET:
01 04 01 00 9a 7b 00 00 00 00 00 00 00 00 01 00
%Aug 1 19:21:09:230 2021 ac STAMGR/6/STAMGR_CLIENT_OFFLINE: Client 64a2-0054-4b8c went offline from BSS b044-148b-7810 with SSID zstest on AP test Radio ID 2. State changed to Unauth. Reason: Received deauthentication frame in Run state: reason code=3
3)因req_auth的报文中用户的IP地址为0.0.0.0,怀疑是否是AC未配置用户IP地址参数:
检查接入设备配置:
#
portal web-server drcom
url http://10.255.0.6/?url_id=1625771
url-parameter wlanuserip source-address
url-parameter wlanusermac source-mac
#
华三接入设备侧携带用户地址的url参数,那么怀疑是否是服务器上未进行相关配置,检查服务器侧url参数,也配置了userip:
再次查看接入设备侧url-parameter命令详细,发现设备上配置的wlanuserip是自定义的参数名,我们设备侧是wlanuserip,服务器侧是userip,这两个参数不一致:
【命令】
url-parameter param-name { nas-id | nas-port-id | original-url | source-address | ssid | { ap-mac | source-mac } [ format section { 1 | 3 | 6 } { lowercase | uppercase } ] [ encryption { aes | des } key { cipher | simple } string ] | value expression | vlan }
undo url-parameter param-name
【缺省情况】
未配置设备重定向给用户的Portal Web服务器的URL中携带的参数信息。
将服务器侧用户IP地址这一项修改为wlanuserip后恢复正常。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作