AP已经上线,portal web-serve 是推送的深信服的认证页面,现在用户已经获取到认证界面,但登录账号密码显示认证失败,并且有线用户账号会被被挤下,具体配置和报错界面请看附件
组网如下:AP--无线核心交换机--旁挂无线控制器--深信服AC(认证服务器)--互联网
最佳答案
只有一张截图,分析不出来。
账号密码是存在本地还是radius服务器,如果是第三方服务器,就debug radius查询哪认证错误
(0)
version 7.1.064, Release 5226
#
sysname LvZhou-2510H-F
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
telnet server enable
telnet server acl 3011
#
mac-authentication
#
dialer-group 1 rule ip permit
#
dhcp server forbidden-ip 10.69.88.254
dhcp server forbidden-ip 192.168.0.200
dhcp server forbidden-ip 192.168.35.201 192.168.35.254
#
dns proxy enable
dns server 10.191.16.12
dns server 192.168.12.3
#
password-recovery enable
#
vlan 1
description ap
#
vlan 121 to 123
#
vlan 2001
#
stp global enable
#
dhcp server ip-pool ap
gateway-list 10.69.121.1
network 10.69.121.0 mask 255.255.255.0
#
wlan service-template ctg
#
wlan service-template ctg-gust
ssid CTG-guest
vlan 123
portal enable method direct
portal domain sangfor
portal bas-ip 10.69.122.1
portal apply web-server sangfor
#
wlan service-template sanfor
ssid CTG-JX
vlan 122
portal enable method direct
portal domain sangfor
portal bas-ip 10.69.120.2
portal apply web-server sangfor
portal temp-pass enable
service-template enable
#
interface NULL0
#
interface LoopBack0
ip address 10.69.120.50 255.255.255.248
#
interface Vlan-interface121
ip address 10.69.121.1 255.255.255.0
#
interface Vlan-interface122
ip address 10.69.122.2 255.255.255.0
#
interface Vlan-interface123
#
interface Vlan-interface2001
shutdown
ip address 10.69.120.18 255.255.255.248
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
nat outbound 3001
undo dhcp select server
#
interface GigabitEthernet1/0/1
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 2 to 4094
#
interface GigabitEthernet1/0/2
port link-mode bridge
poe enable
#
interface GigabitEthernet1/0/3
port link-mode bridge
poe enable
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-admin
user-role network-operator
protocol inbound telnet
#
line vty 5 31
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 10.69.122.1
#
ntp-service enable
ntp-service unicast-server ***.***
ntp-service unicast-server 202.112.29.82
#
domain sangfor
authentication portal none
authorization portal none
accounting portal none
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user added class manage
password hash $h$6$/fnh8Vt20a3/T4+B$LKfF3Z06Q9E4y5rUM92RUJ3B35Tk7wWBVkHsvgVS5rCAqxkzdQTZwP9ie4BujZzPjKaQZIzB946U7JYvX3sNnQ==
service-type ftp
authorization-attribute user-role level-15
authorization-attribute user-role network-operator
#
local-user addes class manage
authorization-attribute user-role network-operator
#
local-user ctadmin class manage
password hash $h$6$TRuz+TADKaoPLdjF$ORPWiawvsZvuWo6GLPYkab5KChYKb5e0qnEM4P3t98c80aP8V4mQw8PoSJELqv4yl1SxO6MlrKB1iaKYLnmc2Q==
service-type ssh telnet http https
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
local-user shen_yi class manage
password hash $h$6$7jTxENihDCg4uQUr$MYWAksPZkhZH3R+TQ8BWQ499O0bwhXUo3fRaq+wyRJBxigbFCIXdvSP7x8/Uq4asjjKAQhyPLhtshNPyuWiaug==
service-type telnet terminal http
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ftp server enable
#
session statistics enable
#
portal host-check enable
portal user log enable
portal free-rule 1 destination ip 114.114.114.114 255.255.255.255
portal free-rule 2 destination ip any udp 53
portal free-rule 3 destination ip any tcp 53
portal free-rule 4 destination ***.***
portal free-rule 5 destination ***.***
portal free-rule 6 destination ***.***
portal free-rule 7 destination short.weixin.qq.com
portal free-rule 8 destination mp.weixin.qq.com
portal free-rule 9 destination long.weixin.qq.com
portal free-rule 10 destination dns.weixin.qq.com
portal free-rule 11 destination minorshort.weixin.qq.com
portal free-rule 12 destination extshort.weixin.qq.com
portal free-rule 13 destination szshort.weixin.qq.com
portal free-rule 14 destination szlong.weixin.qq.com
portal free-rule 15 destination szextshort.weixin.qq.com
portal free-rule 16 destination ***.***
portal free-rule 17 destination wifi.weixin.qq.com
portal free-rule 18 destination ***.***
portal free-rule 19 destination ***.***
portal free-rule 20 destination ***.***
portal free-rule 21 destination ecss***.***
portal free-rule 22 destination ***.***
portal free-rule 23 destination ***.***
portal free-rule 24 destination ***.***
portal free-rule 25 destination yzl.***.***
portal free-rule 26 destination *.***.***
portal free-rule 2346257225 destination ip any tcp 5223
portal free-rule 2346257239 destination isdspeed.qq.com
portal safe-redirect enable
portal safe-redirect user-agent Android
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent Mozilla
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent micromessenger
#
portal web-server sangfor
url http://10.68.29.18/cid/8812/portal.html
url-parameter mac source-mac
url-parameter wlanuserip source-address
#
portal server sangfor
ip 10.68.29.18 key cipher $c$3$/HMQ0wcGgj+XtIhmSvuC4nZgg5vzsDV0ElLn
#
portal local-web-server http
#
portal local-web-server https
#
ip http enable
ip https enable
#
portal mac-trigger-server cloud
binding-retry 2 interval 3
cloud-binding enable
#
wlan auto-ap enable
wlan auto-persistent enable
#
wlan global-configuration
#
wlan ap-group default-group
vlan 1
ap-model WA4320
radio 1
radio enable
service-template ctg-gust
service-template sanfor
radio 2
radio enable
service-template ctg-gust
service-template sanfor
gigabitethernet 1
#
wlan ap-group jxc-1
vlan 1
ap jxc-1-4-1
ap jxc-1-4-2
ap-model WA5530
radio 1
radio enable
service-template ctg-gust
service-template sanfor
radio 2
radio enable
service-template ctg-gust
service-template sanfor
radio 3
radio enable
service-template ctg-gust
service-template sanfor
module 1
gigabitethernet 1
gigabitethernet 2
#
wlan ap 98f1-817b-2e40 model WA5530
serial-id 219801A0YF920CG001G8
vlan 1
radio 1
radio enable
service-template sanfor
radio 2
radio enable
service-template sanfor
radio 3
radio enable
service-template sanfor
module 1
gigabitethernet 1
gigabitethernet 2
#
wlan ap jxc-1-4-1 model WA5530
serial-id 219801A0YF920CG001CX
vlan 1
radio 1
service-template sanfor
radio 2
service-template sanfor
radio 3
service-template sanfor
module 1
gigabitethernet 1
gigabitethernet 2
#
wlan ap jxc-1-4-2 model WA5530
serial-id 219801A0YF920CG001FM
vlan 1
radio 1
radio enable
service-template sanfor
radio 2
radio enable
service-template sanfor
radio 3
radio enable
service-template sanfor
module 1
gigabitethernet 1
gigabitethernet 2
#
traffic-policy
#
cloud-management server domain ***.***
#
return
(0)
对接登录失败,以下是排查要点,请参考:
1、检查基础网络是否可达。
2、检查portal的配置是否有问题,且是否已指向到了portal服务器。
3、检查中间网络是否有安全设备拦截了。
(0)
网络是可达的,配置在上面,中间直通,没有任何安全设备
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
这个AC不认证的,由第三方认证,第三方要求我们这么配置,其他区域都已经配置成功了
第三方认证也要指第三方服务器地址
portal web-server sangfor url http://10.68.29.18/cid/8812/portal.html url-parameter mac source-mac url-parameter wlanuserip source-address # portal server sangfor ip 10.68.29.18 key cipher $c$3$/HMQ0wcGgj+XtIhmSvuC4nZgg5vzsDV0ElLn # 这指定了地址,用密钥对接的
这指的只有portal服务器的地址而已
劳烦请指教了,这方面知识有所欠缺
https://www.h3c.com/cn/d_202107/1428452_30005_0.htm参考官网案例,配个radius方案,指一下认证服务器地址
好的,谢谢了