Troubleshooting guide
3. Troubleshooting Functional Failures During Operation
119
Table 3-60: Checking the configuration of Web authentication
No. Items to check Action
1 Check the Web authentication configuration
settings.
Make sure the following configuration commands have been
set correctly.
Common configuration:
•
aaa accounting web-authentication default
start-stop group radius
• aaa authentication web-authentication
default group radius
• web-authentication system-auth-control
Configuration for dynamic VLAN mode:
•
web-authentication auto-logout
• web-authentication max-timer
• web-authentication max-user
• web-authentication vlan
Configuration for fixed VLAN mode:
•
web-authentication ip address
• web-authentication port
• web-authentication static-vlan max-user
• web-authentication web-port
For AX6700S, AX6600S, and AX6300S series switches, make
sure also the following commands have been set.
•
authentication ip access-group
• web-authentication redirect-vlan
• web-authentication redirect-mode
For AX3800S, AX3600S, and AX2400S series switches, make
sure also the following commands have been set.
•
authentication arp-relay
• authentication ip access-group
• web-authentication redirect enable
• web-authentication redirect-mode
2 Check the IP address settings for the VLAN
interfaces.
For dynamic VLAN mode, make sure the IP addresses for the
following VLAN interfaces are set correctly:
• Pre-authentication VLAN
• Post-authentication VLAN
3 Check the DHCP relay agent configuration. For dynamic VLAN mode, if an external DHCP server is used
on an L3 switch, make sure DHCP relay agents are correctly set
between the following VLANs:
• Between the pre-authentication VLAN and the VLAN for
the server
• Between the post-authentication VLAN and the VLAN for
the server
4 Check the filtering configuration. For dynamic VLAN mode, when the filtering is used for an L3
switch, make sure that the filters are correctly set between the
following VLANs:
• From the VLAN used for authentication to the
post-authentication VLAN: A filter is set to disable all IP
communication.
• From the post-authentication VLAN to the VLAN used for
authentication: A filter is set to forward only
communication by Web browsers.
Certain packets might have been discarded either by filtering or
by bandwidth monitoring, drop control, or the QoS control
shaper. Make sure that the setting conditions for filters and QoS
control in the configuration are correct, and that bandwidth
monitoring, drop control, or the shaper is used appropriately in
the system configuration. For details about the procedure, see
3.25.1 Checking the filters and QoS configuration
information.