Network Topology
Hierarchical AC networking, the authentication point is at the Central AC, and the forwarding point is at the AP;
Central AC dual-machine hot backup;
The portal authentication server is IMC
Problem Description
The on-site office has a layered AC network with portal + mac-trigger, the authentication point is on the central AC, and the forwarding point is on the AP. There is a local SSID wireless portal on the central AC, and the authentication is normal, but the SSID portal page on the downlink branch still cannot pop up. The two SSIDs use the same domain and radius policy, and belong to different address segments. One is VLAN 301 and the other is VLAN 401.
The wired and wireless test at the branch shows the same pop-up results:
Main configuration on the AC device side:
|
# wlan service-template 2 ssid A-WiFi vlan 301 client forwarding-location ap client-security authentication-location central-ac portal enable method direct portal domain imc portal bas-ip 10.xxx.xxx.150 portal apply web-server imc portal apply mac-trigger-server imc service-template enable # |
|
wlan service-template 3 ssid A-WiFi vlan 301 portal enable method direct portal domain imc portal bas-ip 10.xxx.xxx.150 portal apply web-server imc portal apply mac-trigger-server imc service-template enable # portal web-server imc url http://10.xxx.xxx.80:80/portal url-parameter apmac ap-mac
url-parameter ssid ssid url-parameter userip source-address url-parameter usermac value source-mac # portal server imc ip 10.xxx.xxx.80 key cipher $c$3$VkT8tta72jPA8+1dSEWGvvtKvKuBUbDA3/L0Ww4m |
Process Analysis
The on-site office has a layered AC network with portal + mac-trigger, the authentication point is on the central AC, and the forwarding point is on the AP. There is a local SSID wireless portal on the central AC, and the authentication is normal, but the SSID portal page on the downlink branch still cannot pop up. Since the HQ wireless service and the branch wireless service share the same portal authentication service, but the business VLAN is different, it can be judged that the portal service on the authentication server side is normal; finally, through packet capture and log analysis on the server side, it is found that the terminal request message is sent to the authentication server, but The server responded with the message and replied to another AC address. After confirmation, the main and standby Central ACs were added to the IMC on site, but the configuration of the portal redirection carrying device bas-ip was not added to the AC configuration, which caused the IMC side to fail to judge the request. From which device the message is sent, it is impossible to distinguish which device responds, resulting in the page not being displayed.
Solution
Configure the device bas-ip configuration and url-parameter nasip value x.x.x.x in the redirection url under poral web-server.