Troubleshooting portal, Symptom, Analysis – H3C Technologies H3C SecPath F1000-E User Manual

Page 158: Solution, Incorrect server port number on the access device

148

Troubleshooting portal

Inconsistent keys on the access device and the portal server

Symptom

When a user is forced to access the portal server, the portal server displays a blank Web page, rather

than the portal authentication page or an error message.

Analysis

The keys configured on the access device and the portal server are inconsistent, causing CHAP message

exchange failure. As a result, the portal server does not display the authentication page.

Solution

•

Use the display portal server command to display the key for the portal server on the access device
and view the key for the access device on the portal server.

•

Use the portal server command to modify the key on the access device or modify the key for the
access device on the portal server to make sure that the keys are consistent.

Incorrect server port number on the access device

Symptom

After a user passes the portal authentication, you cannot force the user to log off by executing the portal

delete-user command on the access device, but the user can log off by using the disconnect attribute on

the authentication client.

Analysis

When you execute the portal delete-user command on the access device to force the user to log off, the
access device actively sends a REQ_LOGOUT message to the portal server. The default listening port of

the portal server is 50100. However, if the listening port configured on the access device is not 50100,

the destination port of the REQ_LOGOUT message is not the actual listening port on the server, and the

portal server cannot receive the REQ_LOGOUT message. As a result, you cannot force the user to log off
the portal server.
When the user uses the disconnect attribute on the client to log off, the portal server actively sends a

REQ_LOGOUT message to the access device. The source port is 50100 and the destination port of the

ACK_LOGOUT message from the access device is the source port of the REQ_LOGOUT message so that
the portal server can receive the ACK_LOGOUT message correctly, no matter whether the listening port

is configured on the access device. The user can log off the portal server.

Solution

Use the display portal server command to display the listening port of the portal server configured on the

access device and use the portal server command in the system view to modify it to make sure that it is
the actual listening port of the portal server.

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS