This section describes how to troubleshoot the failure when the portal authentication page cannot be displayed on the FW.
An enterprise has deployed the FW as a gateway that connects the intranet to the Internet. Intranet users can access Internet resources only after being authenticated by the FW.
An intranet user cannot be redirected to the authentication page when the user attempts to access the Internet.
The possible causes are as follows:
Web authentication is disabled.
Check the global configuration and check whether web authentication is enabled. Web authentication is enabled by default.
<sysname> display user-manage global-configuration Global Configuration Information about User Management : ------------------------------------------------------------------------------- Web Authentication Switch : Enable Web Authentication Port : 8887 Web Authentication Type : HTTPS .........................
If web authentication is disabled, run the user-manage web-authentication enable command in the system view to enable it.
The user wants to access non-HTTP services. In this case, the FW does not redirect the user to the authentication page.
The FW redirects only HTTP service requests. For example, if a user attempts to access http://www.example.org, the FW will display the authentication page, prompting the user to enter the user name and password.
If a user attempts to access non-HTTP services, such as FTP services, the user must proactively access authentication page https://10.3.0.1:8887. 10.3.0.1 is an interface address of the FW. The user PC and the address must be reachable to each other.
The authentication policy is incorrectly configured or not configured.
Choose on the web UI or run the display auth-policy command to check authentication policy configuration.
Ensure that traffic sent by the intranet user matches the authentication policy whose authentication action is user name+password authentication.
The user PC address and authentication page are not reachable to each other.
The FW uses the address of the interface through which the FW receives an HTTP request as the address of the authentication page. Therefore, the user PC and the interface IP address must be reachable to each other.
Otherwise, the user will not be redirected to the authentication page. In this case, the administrator can run the user-manage redirect-authentication command in the system view to specify a new address for the authentication page. The FW will redirect the web browser of the user to the new address. The address must be an interface address of the FW, and the user PC and address must be reachable to each other.
The security policy does not allow the user PC to access the authentication page of the FW.
The FW provides authentication page services through port 8887. Therefore, ensure that port 8887 is enabled in the interzone security policy from the zone where the user resides to the local zone.
[FW] security-policy [FW-policy-security] rule name policy_sec_01 [FW-policy-security-rule-policy_sec_01] source-zone trust [FW-policy-security-rule-policy_sec_01] destination-zone local [FW-policy-security-rule-policy_sec_01] service protocol tcp destination-port 8887 [FW-policy-security-rule-policy_sec_01] action permit
The security policy does not enable the DNS service, causing DNS packets for HTTP service domain name resolution to be discarded.
When a user wants to access a website through the browser, domain name resolution is performed first. If the user cannot access the DNS server, HTTP traffic cannot be triggered. Therefore, the authentication page cannot be displayed. If the authentication page can be displayed after an IP address is entered in the address box of the browser, domain name resolution is not correctly performed.
Enable the DNS service in the interzone security policy from the zone where the user resides to the zone where the DNS server resides.
The SSL versions of the browser and the FW authentication page do not match.
By default, the FW authentication page supports TLS 1.2. If the SSL versions of the browser and the FW authentication page do not match, the authentication page cannot be displayed.
Run the user-manage security version { { tlsv1 | tlsv1.1 | tlsv1.2 } * | all } to change the SSL version of the FW authentication page or browser so that the SSL versions of the browser and the FW authentication page match.