1 802.1X authentication operation guide
1.1 Logging Agile controller
using https://10.10.10.100:8443
Configuration Roadmap
1.2 Add Device
Resource> Device Manager> Add
<AC6605> display accounting-scheme acco_scheme
1.3 Setting Policy
1.3.1 define certification rules
1.3.2 define authorization results
1.3.3 define authorization rules
2 portal authentication operation guidance
2.1 Add Device
Resource> Device Manager> Add
2.2 Add SSID
2.3 Setting Policy
2.3.1 define certification rules
2.3.2 define authorization results
2.3.3 Defining authorization rules
through the above authentication rule, authorization result in authorization rules call
2.4 customized portal interface
2.5 Setting portal push policy
2.6 Setting priority MAC
3 MAC-free operation guidance
3.1 increasing device group
3.2 Adding the MAC device group
3.3 Setting Policy
3.3.1 Adding certification rules (bypass deployment)
3.3.2 Add authorization result
3.3.3 Add authorization rules
4 SMS authentication operation guide
4.1 AC configuration
AC complete the basic portal authentication configuration;
4.2 Agile configure the Controller
to add access equipment on Agile Controller: Select the "Resources -> Device -> Device Manager", click increase;
configure SMS server so normal system can send a text message: select "system> server configuration> SMS server configuration," set the parameters of the short message server;
Http address: http://189.180.0.130:8889/httpsmstest/HttpTest
to come to the current computer (computers installed httptest) IP addresses;
attribute: password} = {PASSWORD
the userName = SA
to telephoneNumber} = {
Content = {MSGCONTENT}
password: sa;
successfully identified as: OK;
configure policies guest account: choose "policies> access control> visitor management> Guest account policies";
When a custom authentication page, visitors unauthorized access to the network, automatically jump to visitors authentication page; select "Policies> Access Control> Page Customization> Page Customization", click Add, select the phone fast authentication template;
Portal push policy configuration page, visitors push customized authentication page, select the "Policies> Access Control> Page Customization> Portal page push policy", click "Add" to set the Portal page push policy.
Jump authentication page choose to continue to access the original page, the value of "redirect-url" fields must be configured on the AC "url".
4.3 Httptest configuration
installation Httptest, open the bin folder, click startup.bat file to start the program;
Associated signal terminal, access Internet, visitors are redirected to the authentication page. Visitors enter the phone number, click on "Get password" on the software received the password, visitors enter the phone number and password, click "login" page automatically jump to the page pre-certification visit.
5 Portal approval of two-dimensional code Operating Instructions
5.1 define access policies account
5.2 page customization
5.3 Setting the portal push policy
5.4 Approval account records
6 Portal push mail Operating Instructions
6.1 mailbox settings
6.2 Policy settings
7 Global Settings
7.1 User name Password Settings
Use backup and recovery tool to restore backup programs can only backup recovery tool can not be manually restored.
- Get "Agile_Controller-Campus_xxx_MaintainTool_Windows.zip" from the Enterprise Technical Support Web site or CD.
- After extracting run "MaintainTool.bat".
- Click "Run backup and recovery tool."
Gets License fault code in the old Agile Controller-Campus.
Login old Agile Controller-Campus management interface, select "System> License Management> License View."
Click the "failure License", the failure to obtain the code.
ESN in acquiring new Agile Controller-Campus.
Sign in New Agile Controller-Campus management interface, select "System> License Management> License View."
Click "Get ESN".
According to the new server failure code and ESN, obtain a new License file ISDP website.
Login http://app.huawei.com/isdp.
In the left menu, select "License debugging and maintenance> ESN change."
Enter the failure code, you click the "verification failure code."
<HUAWEI> ftp 192.168.1.1 // enter the account password, username and password may be provided IPOP
[ftp] put vrpcfg.zip // FTP server terminal provided viewing path operations, such as D: \ S7706_CFG
Scene access admission control operation cancel
802.1X 1. online users forced offline.
Run cut access-user interface interface-type interface-number in the AAA view. interface-type interface-number authentication control interface.
- Global canceled 802.1X authentication.
System view, run undo dot1x enable.
Portal system in view Run portal free-rule 0 destination any source any.
SACG firewall Select "Network> SACG> Basic Configuration" enabled "state detection server", and "the minimum number of active servers" to 1.
Portal authentication page can not open the terminal, but can access the " HTTP: // Portal Server - IP: 8080 / Portal ."
Possible Cause
IP address can access the server directly Portal, indicates that the network between the terminal and the Portal server connection is normal, the reason appears unable to open the Portal authentication page may have:
access control Portal server template is not bound VLANIF interface on the device.
URL address of the access control device URL template configuration Portal authentication page is incorrect, resulting in the switch / AC http request of the terminal can not be redirected to the Portal server.
In the case of terminal access authentication is not performed HTTPS site.
DNS server is not configured to pre-authentication domain, preventing access to the DNS server before the terminal authentication, and thus can not resolve domain names.
DNS server is not configured on the terminal, the terminal can not lead to a name, and thus can not generate HTTP traffic triggered Portal authentication page.
Portal authentication is successful, the reason may not access the domain are:
access control authentication domain after domain resources in the release of the ACL configured on the device is incorrect.
IP address of the terminal access control apparatus is not added to the pool of IP addresses jurisdiction.
NAT is present between the terminal and the service controller.
When the dropping time to time to
execute the command reasons dis aaa abnormal-offline-record mac <HHH>, in view of the user offline access control device.
If the reason displayed offline Web user request, follow the steps below to troubleshoot:
after checking whether the terminal authentication succeeds closed radio access terminal authentication session timeout Web page or the administrator authentication success on Agile Controller-Campus set too short.
On the desktop terminal authentication success page can not be closed, otherwise it will lead to the end user dropped, and thus can not access network resources after authentication domain. Because the Web browser on a regular basis (heartbeat cycle can be configured in the global parameters) will send a heartbeat packet to the Portal server, if the authentication page is closed, Web browser can not send a heartbeat packet to the server Portal, end-user session time-out and was forced to produce off the assembly line.
-
• on the mobile terminal, the authentication success page session before the timeout is closed, the mobile terminal user offline time depends on the "wireless Web access terminal authentication session timeout" administrator configures the global parameters, if the "wireless access Web authentication into the terminal session timeout "setting short session timeout is reached, it will cause the user offline.
If the administrator enable the MAC authentication priority Portal, Portal server will automatically retain the end-user MAC address and SSID, turn off the authentication is successful page in the Portal authentication session is valid priority of the MAC, AC will automatically use the MAC address of the terminal Portal server initiates MAC authentication, it will not affect access to network resources after authentication domain.
Portal Priority MAC authentication configuration, refer to the wireless access environment Portal (including priority MAC).
- Check whether the Agile Controller-Campus configured to limit the long-time users online.
Log Agile Controller-Campus, select "System> Terminal Parameter Configuration> local parameter", when the user checks a reasonable length of line is set in the "user online time limit" in the.
Kick another two accounts
administrator "System> Terminal Parameter Configuration> local parameter" configured in "access the same account number Control", and the "maximum access" set to "1", the "maximum access when the operation number "set to" allowed to access (to force a user online offline). " Although the MAC priority terminal is on-line by line on the MAC address, MAC address and account number but are bound, a line can only account on a terminal, it will be on the line after the first line on the kick off the assembly line.
<AC> system-view
[AC] mac-authen quiet-times 5
[AC] mac-authen timer quiet-period 15
[AC] quit
<AC> save
portal captive-bypass enable
放行苹果站点
portal free-rule 1 destination ip 223.111.109.13 mask 32
portal free-rule 1 destination ip 17.142.160.82 mask 32
portal free-rule 1 destination ip 17.172.224.102 mask 32
portal free-rule 1 destination ip 17.178.96.96 mask 32
portal free-rule 1 destination ip 223.119.150.170 mask 32
If the layer 2 network is between the terminal and the access control device, a display terminal MAC address of the terminal log log support.
URL template configuration needs to be configured on the AC terminal MAC address URL parameter carries user-mac.
[The AC] URL name HUAWEI-Template
[URL-the AC-HUAWEI-Template] URL http://172.18.1.1:8080/portal
[URL-the AC-HUAWEI-Template] URL-Parameter-SSID SSID usermac the redirect URL usermac url