★ Client cannot pop up the portal page automatically--During the wireless portal process, there is an abnormal issue of traffic being permitted/denied/redirected after reaching the portal device
- 0 Followed
- 0Collected ,3708Browsed
Network Topology
STA--Cloud AP or STA---AP---AC
Problem Description
After the wireless terminal (Android) connects to the wireless, it cannot automatically pop up the portal page. If you manually open the browser, or manually enter the IP or url, a portal page can pop up.
Process Analysis
After connecting to the network, terminals such as computers and mobile phones will send a large number of detection messages, some detecting Microsoft services, and some detecting Google services. These detection messages can theoretically trigger portal redirection actions.
When the customer's terminal manually opens the browser, the portal page can pop up and they can also log in normally. Therefore, it can be inferred that it is not a DNS issue or a portal server issue, and it is speculated that it is a portal process processing issue.
Debug portal all on the device (cloud AP or AC), with the following log.
[Outbound] permit the packet on the outbound {MatchRes = [Rule2-Permit]}.
IfName = WLAN-BSS1/0/3, PortName = WLAN-BSS1/0/3, Vlan = 1, DstMAC = a-b-c,
SrcIP = 1.2.3.4 , DstIP = 192.168.1.8
L4Protocol = 6, SrcPort = 443, DstPort = 54776, VrfIndex = 0
*Apr 30 08:24:47:705 2024 PRUEBAS POLANCO PORTAL/7/RULE:
[Outbound] permit the packet on the outbound {MatchRes = [Rule1-Permit]}.
IfName = WLAN-BSS1/0/3, PortName = WLAN-BSS1/0/3, Vlan = 1, DstMAC = c-b-a,
SrcIP = 4.3.2.1, DstIP = 192.168.1.8
L4Protocol = 6, SrcPort = 443, DstPort = 42102, VrfIndex = 0
*Apr 30 08:24:47:705 2024 PRUEBAS POLANCO PORTAL/7/RULE:
[Outbound] permit the packet on the outbound {MatchRes = [Rule2-Permit ]}.
IfName = WLAN-BSS1/0/3, PortName = WLAN-BSS1/0/3, Vlan = 1, DstMAC = a-b-c,
SrcIP = 192.168.1.1, DstIP = 192.168.1.8
L4Protocol = 6, SrcPort = 443, DstPort = 34588, VrfIndex = 0
*Apr 30 08:24:47:705 2024 PRUEBAS POLANCO PORTAL/7/RULE:
[Outbound] permit the packet on the outbound {MatchRes = [Rule1-Permit]}.
IfName = WLAN-BSS1/0/3, PortName = WLAN-BSS1/0/3, Vlan = 1, DstMAC = a-a-a,
SrcIP = 192.1.1.1, DstIP = 192.168.1.8
L4Protocol = 6, SrcPort = 443, DstPort = 36446, VrfIndex = 0
*Apr 30 08:24:47:705 2024 PRUEBAS POLANCO PORTAL/7/RULE:
[Outbound] permit the packet on the outbound {MatchRes = [Rule2-Permit]}.
IfName = WLAN-BSS1/0/3, PortName = WLAN-BSS1/0/3, Vlan = 1, DstMAC = a-a-a,
SrcIP = 192.168.1.1, DstIP = 192.168.1.8
L4Protocol = 1, SrcPort = 0, DstPort = 0, VrfIndex = 0
You can see that some traffic accessing HTTPS matches Rule1 Permit.
Summarize the various rules encountered in portal debugging
[Outbound] permit the packet on the outbound {MatchRes = [Rule4-Deny]}.
[Inbound] execute full rule match, { MatchRes = [Rule1-Permit] }
[Outbound] execute full rule match, { MatchRes = Pre-Rule1-Permit }
[Outbound] permit the packet on the outbound {MatchRes = [Rule2-Permit]}.
[Inbound] execute full rule match, { MatchRes = [Rule3-Redirect] }
The meaning of each rule:
Rule1 free rule release, the IP addresses permitted by free rule can be seen from the configuration
Rule2 The user has passed authentication or triggered temporary release
Rule3 Default configuration, HTTP/HTTPS traffic is redirected
Rule4 Default configuration, traffic defaults to deny. Or by configuring the portal deny configuration to be issued
As seen above, the traffic on port 443 was permitted by Rule1, so it is suspected that the Android terminal detected that the traffic matched the free rule and was unblocked, so it failed to trigger portal redirection and automatically popped up the portal page.
The configuration of the portal free rule is as follows, but it is a domain name that cannot correspond to the traffic being permitted.
#
portal user log enable
portal client-gateway interface Vlan-interface1
portal free-rule 501 destination ip 114.114.114.114 255.255.255.255
portal free-rule 502 destination ip any udp 53
portal free-rule 503 destination ip any tcp 53
portal free-rule 504 destination ip any tcp 5223
portal free-rule 520 destination oasisauth.h3c.com
portal free-rule 521 destination short.weixin.qq.com
portal free-rule 522 destination mp.weixin.qq.com
portal free-rule 523 destination long.weixin.qq.com
portal free-rule 524 destination dns.weixin.qq.com
portal free-rule 525 destination minorshort.weixin.qq.com
portal free-rule 526 destination extshort.weixin.qq.com
portal free-rule 527 destination szshort.weixin.qq.com
portal free-rule 528 destination szlong.weixin.qq.com
portal free-rule 529 destination szextshort.weixin.qq.com
portal free-rule 530 destination isdspeed.qq.com
portal free-rule 531 destination wx.qlogo.cn
portal free-rule 532 destination wifi.weixin.qq.com
portal free-rule 533 destination login.live.com
portal free-rule 534 destination login.microsoftonline.com
portal free-rule 535 destination browser.events.data.microsoft.com
portal free-rule 536 destination aadcdn.msauth.net
portal free-rule 537 destination connect.facebook.net
portal free-rule 538 destination staticxx.facebook.com
portal free-rule 539 destination graph.facebook.com
portal free-rule 540 destination www.facebook.com
portal free-rule 541 destination m.facebook.com
portal free-rule 542 destination facebook.com
portal free-rule 543 destination static.xx.fbcdn.net
portal free-rule 544 destination *.xx.fbcdn.net
portal free-rule 545 destination scontent-lax3-2.xx.fbcdn.net
portal free-rule 546 destination scontent-hkg3-1.xx.fbcdn.net
portal free-rule 547 destination *.facebook.com
portal free-rule 548 destination *.facebook.net
portal free-rule 549 destination accounts.google.com
portal free-rule 550 destination gstatic.google.com
portal free-rule 551 destination fonts.gstatic.com
portal free-rule 552 destination accounts.youtube.com
portal free-rule 553 destination play.google.com
portal free-rule 554 destination lh3.googleusercontent.com
portal free-rule 555 destination ssl.gstatic.com
portal free-rule 556 destination clients1.google.com
portal free-rule 557 destination www.google.com
portal free-rule 558 destination accounts.google.com.sg
portal free-rule 559 destination content-autofill.googleapis.com
portal free-rule 560 destination www3.l.google.com
portal free-rule 561 destination www.googleapis.com
portal free-rule 562 destination accounts-cctld.l.google.com
portal free-rule 563 destination api.twitter.com
portal free-rule 564 destination abs-0.twimg.com
portal free-rule 565 destination pbs.twimg.com
portal free-rule 566 destination ton.twimg.com
portal safe-redirect enable
portal safe-redirect method get post
portal safe-redirect user-agent Android
portal safe-redirect user-agent CFNetwork
portal safe-redirect user-agent CaptiveNetworkSupport
portal safe-redirect user-agent Chrome
portal safe-redirect user-agent Firefox
portal safe-redirect user-agent MicroMessenger
portal safe-redirect user-agent MicrosoftNCSI
portal safe-redirect user-agent Mosilla
portal safe-redirect user-agent Safari
portal safe-redirect user-agent WeChat
portal safe-redirect user-agent android
portal safe-redirect user-agent iPhone
portal safe-redirect user-agent micromessenger
#
If free rule is a domain name, you can view the domain name and IP correspondence from the display portal dns free rule host.
Finally, it was confirmed that the HTTPS traffic matched the free rule of fonts.gstatic.com, resulting in being released.
Solution
After deleting the free rule we don"t need, the problem is resolved and the terminal can automatically pop up the portal page after connecting to WIFI.