1、收集诊断后先查看了配置,与官网云简平台认证手册固定账号认证配置对比后,并没有发现有什么问题。
#
wlan service-template 5
description ceshi
ssid ceshi
vlan 255
client forwarding-location ap
portal enable method direct
portal domain cloud
portal apply web-server 5
portal temp-pass period 20 enable
service-template enable
#
domain name cloud
authorization-attribute idle-cut 30
authorization-attribute session-timeout 360
authentication portal none
authorization portal none
accounting portal none
#
portal host-check enable
portal client-gateway interface Vlan-interface1
portal free-rule 2346257224 destination open.weixin.qq.com
portal free-rule 2346257225 destination ip any tcp 5223
portal free-rule 2346257226 destination ip 114.114.114.114 255.255.255.255
portal free-rule 2346257227 destination ip any udp 53
portal free-rule 2346257228 destination ip any tcp 53
portal free-rule 2346257229 destination oasisauth.h3c.com
portal free-rule 2346257230 destination short.weixin.qq.com
portal free-rule 2346257231 destination mp.weixin.qq.com
portal free-rule 2346257232 destination long.weixin.qq.com
portal free-rule 2346257233 destination dns.weixin.qq.com
portal free-rule 2346257234 destination minorshort.weixin.qq.com
portal free-rule 2346257235 destination extshort.weixin.qq.com
portal free-rule 2346257236 destination szshort.weixin.qq.com
portal free-rule 2346257237 destination szlong.weixin.qq.com
portal free-rule 2346257238 destination szextshort.weixin.qq.com
portal free-rule 2346257239 destination isdspeed.qq.com
portal free-rule 2346257240 destination ***.***
portal free-rule 2346257241 destination long.open.weixin.qq.com
portal free-rule 2346257242 destination res.wx.qq.com
portal free-rule 2346257243 destination wifi.weixin.qq.com
portal safe-redirect enable
portal safe-redirect user-agent Android
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent Mozilla
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent micromessenger
#
portal web-server 5
url http://oasisauth.h3c.com/portal/protocol
server-type oauth
url-parameter template_id value 586627
if-match user-agent CaptiveNetworkSupport redirect-url http://oasisauth.h3c.com/generate_404
if-match user-agent Dalvik/2.1.0(Linux;U;Android7.0;HUAWEI redirect-url http://oasisauth.h3c.com/generate_404
if-match original-url http://10.168.168.168 temp-pass
if-match original-url http://captive.apple.com user-agent Mozilla temp-pass redirect-url http://oasisauth.h3c.com/portal/protocol
if-match original-url ***.***/wifi/echo temp-pass redirect-url http://oasisauth.h3c.com/generate_404
if-match original-url http://www.apple.com user-agent Mozilla temp-pass redirect-url http://oasisauth.h3c.com/portal/protocol
#
portal local-web-server http
#
portal local-web-server https
#
ip http enable
ip https port 8668
ip https enable
#
portal mac-trigger-server cloud
binding-retry 2 interval 3
cloud-binding enable
2、查看云简平台认证手册中,AP跨公网注册解决方案有两种,有“配置CMCC方案”与“修改HTTP服务端口方案”。默认情况下,设备侧提供HTTP服务的端口为80端口,终端进行云认证时需通过此端口与设备进行交互。 若运营方的网络为AP跨公网注册至AC或路由器,AP本地转发终端数据流量,且运营方无法为AC或路由器设备申请对外提供服务的80端口时,需对AC或路由器设备以及网络中其它相关设备进行额外配置。
看配置中选择的是方案一。
#
portal server cloud
ip 101.36.161.146
server-type cmcc
server-register interval 60
让现场按照如下修改了方案,如下:
#
portal web-server cloud
url http://oasisauth.h3c.com/portal/protocol?redirect_uri=http://182.XXX.XXX.XXX:8088/portal/cloudlogin.html
#
ip http port 8088
#
portal local-web-server http
tcp-port 8088
但测试后故障依旧
3、检查AC 本地与云简网络互联的TCP连接信息,发现异常:
[3540X] display tcp verbose | b portal
......
Creator: portald[5679]
State: ISCONNECTED
Options: SO_SEQPACKET
Error: 0
Receiving buffer(cc/hiwat/lowat/drop/state): 14105114 / 130560 / 1 /
0 /
N / A
Sending buffer(cc/hiwat/lowat/state): 4273052596 / 131070 / 512 / N/A
Type: 1
Protocol: 6
Inpcb flags: INP_ANONPORT INP_SYNCPCB
Inpcb extflag: N/A
Inpcb vflag: INP_IPV4
TTL: 255(minimum TTL: 0)
Connection state: ESTABLISHED
TCP options: TF_NODELAY TF_REQ_SCALE TF_RCVD_SCALE TF_REQ_TSTMP TF_SACK_PERMIT
NSR state: CLOSED(M)
Send VRF: 0x0
Receive VRF: 0x0
Connection info: Src =101.202.6.3:16270, Dst = 101.36.161.143:443 //AC 与错误的云简网络IP和端口建立了连接
通过上述查看,已找到故障的原因。AC与错误的云简网络IP和端口建立了连接。目前正确的云简网络IP地址端口应该为:101.36.161.146:80。