Cisco Systems OL-4387-02 manual SSG TCP Redirect, Redirection for Unauthenticated Users, 10-1

Page 63

C H A P T E R 10

SSG TCP Redirect

The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with the SESM web interface. SSG TCP Redirect forces subscribers to authenticate before accessing the network or specific services and ensures that subscribers are only allowed to access the services that the service provider wants them to.

The SSG TCP Redirect feature always sends redirected packets to a captive portal group. Any server that is programmed to respond to the redirected packets can be a captive portal. A captive portal group consists of one or more servers. SSG TCP Redirect identifies a captive portal group by its unique name. Each server in a captive portal group is identified by its IP address and TCP port. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. Servers can be in the SSG Open Garden or default network.

If SESM is used as a captive portal, unauthenticated users can be sent automatically to the SESM logon page when they start a browser session. Captive portal applications can also redirect to service logon pages, advertising pages, and message pages. The SESM captive portal application can also capture a URL in a user request and redirect the browser to the originally requested URL after successful authentication.

The SSG feature does not require that you configure all service definitions manually, using the command line interface (CLI). Some, and possibly all service definitions, can come from RADIUS. The download of definitions is triggered when a user attempts to send a packet to a network that is not defined in the SSG VRF table. If this occurs and redirection is enabled, SSG redirects the packet to SESM, which then triggers RADIUS to download the service definition. SSG forwards subsequent packets without redirection.

The Cisco 10000 series router supports the following types of redirection:

Redirection for Unauthenticated Users, page 10-1

Redirection for Unauthorized Services, page 10-2

Initial Captivation, page 10-3

Redirection for Unauthenticated Users

Redirection for unauthenticated users redirects packets from a user if the user has not authorized with the service provider. When an unauthorized subscriber attempts to connect to a service on a TCP port (for example, to www.cisco.com), SSG TCP Redirect redirects the packet to the captive portal (SESM or a group of SESM devices). SESM issues a redirect to the browser to display the logon page. The subscriber logs in to SESM and is authenticated and authorized. SESM then presents the subscriber with a personalized home page, the service provider home page, or the original URL.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

 

OL-4387-02

10-1

 

 

 

Page 62 Page 64
Image 63
Page 62 Page 64
Contents Corporate Headquarters Copyright 2004, Cisco Systems, Inc All rights reserved Iii N T E N T SConfiguration Example for SSG AutoDomain Configuration Example for SSG Open Garden Configuration of VPI/VCI Static Binding to a Service Profile Vii SSG UnconfigViii About This Guide AudienceDocument Organization Document Conventions Related Documentation Obtaining DocumentationCisco.com Ordering Documentation Documentation FeedbackObtaining Technical Assistance Documentation CD-ROMXiii Cisco TAC WebsiteOpening a TAC Case TAC Case Priority DefinitionsXiv Obtaining Additional Publications and InformationService Selection Gateway Service Selection Gateway OverviewSSG Topology Example Access Protocols Default NetworkSSG Restrictions Supported SSG FeaturesService Selection Gateway Overview SSG Restrictions SSG Architecture Model SSG PrerequisitesService Selection Gateway Overview SSG Architecture Model OL-4387-02 Limitations and Restrictions Scalability and PerformanceScalability and Performance Limitations and Restrictions SSG Logon and Logoff Single Host LogonPrerequisites for Single Host Logon Configuration of SSG Autologoff SSG AutologoffRestrictions for SSG Autologoff Example 3-2 SSG Autologoff Using Icmp Ping SSG Prepaid Idle TimeoutConfiguration Example for SSG Autologoff Example 3-1 SSG Autologoff Using ARP PingService Reauthorization Service AuthorizationConfiguration Example for SSG Prepaid Idle Timeout Restrictions for SSG Prepaid Idle TimeoutPrerequisites for SSG Prepaid Idle Timeout Configuration of SSG Prepaid Idle TimeoutExample 3-6 SSG Threshold Time SSG Session and Idle TimeoutExample 3-5 SSG Service-Specific TCP Redirect Example 3-7 SSG Threshold VolumeExample 4-1 Radius Freeware Format Example Authentication and AccountingSSG Full Username Radius Attribute Restrictions for SSG Full Username Radius AttributeExample 4-4 Radius Accounting-Stop Record Account Login and LogoutRadius Accounting Records Example 4-3 Radius Accounting-Start RecordService Connection and Termination Authentication and Accounting Radius Accounting Records Service Selection Methods PPP Terminated AggregationPTA-Multidomain Restrictions for PTA-MD Web Service SelectionSesm and SSG Performance OL-4387-02 SSG AutoDomain Service ConnectionConfiguration of SSG AutoDomain Configuration Example for SSG AutoDomainRestrictions for SSG AutoDomain Example 6-1 SSG AutoDomain Example 6-2 AutoDomain Exclude Profile SSG VSA FormatExample 6-3 AutoDomain Exclude File Format Configuration of SSG Prepaid SSG PrepaidRestrictions for SSG Prepaid SSG Open Garden Configuration Example for SSG PrepaidRestrictions for SSG Open Garden Configuration of SSG Open GardenConfiguration Example for SSG Open Garden SSG Port-Bundle Host KeyRestrictions for SSG Port-Bundle Host Key Prerequisites for SSG Port-Bundle Host Key Mutually Exclusive Service SelectionConfiguration of SSG Port-Bundle Host Key Exclude NetworksConfiguration of Mutually Exclusive Service Selection OL-4387-02 Downstream Access Control List Service ProfilesFull Username Upstream Access Control ListService Authentication Type Domain NameService Next-Hop Gateway Service-Defined CookieService Description Service ModeExample 7-1 Service Profile Cached Service ProfilesType of Service Service Profile ExampleConfiguration of Cached Service Profiles OL-4387-02 SSG Hierarchical Policing SSG Hierarchical Policing OverviewSSG Hierarchical Policing Token Bucket Scheme Restrictions for SSG Hierarchical Policing SSG Hierarchical Policing ConfigurationExample 8-2 Enabling Per-Session Policing on a Router Configuration Examples for SSG Hierarchical PolicingOL-4387-02 Transparent Passthrough Interface ConfigurationFor example Access Side InterfacesRestrictions of Transparent Passthrough Configuration of Transparent PassthroughMulticast Protocols on SSG Interfaces Network Side InterfacesConfiguration of Multicast Protocols on SSG Interfaces Redirection for Unauthenticated Users SSG TCP Redirect10-1 10-2 Redirection for Unauthorized Services10-3 Initial Captivation10-4 Configuration of SSG TCP RedirectRestrictions for SSG TCP Redirect Prerequisites for SSG TCP Redirect10-5 Example 10-1 Binding a Server Group to a PortExample 10-2 Limiting Redirected TCP Sessions 10-6 Configuring SSG TCP RedirectExample 10-4 Defining Network Lists Configuration Examples for SSG TCP Redirect10-7 Example 10-3 Defining a Captive Portal Server GroupExample 10-5 Defining Port Lists 10-8Miscellaneous SSG Features VPI/VCI Static Binding to a Service Profile11-1 11-2 AAA Server Group Support for Proxy ServicesConfiguration of Radius Virtual Circuit Logging Radius Virtual Circuit Logging11-3 Packet Filtering11-4 Downstream Access Control List-outaclUpstream Access Control List-inacl Restrictions for Packet FilteringRestrictions for SSG Unconfig SSG UnconfigConfiguration of Packet Filtering Configuration Example for Packet Filtering11-6 Prerequisites for SSG UnconfigConfiguration of SSG Unconfig Configuration Examples for SSG UnconfigSSG Enhancements for Overlapping Services Service Translation11-7 11-8 11-9 Restrictions for Service Translation11-10 Configuration of Service Translation11-11 Expansion of Service IDs11-12 Network Sets12-1 Monitoring and Maintaining SSG12-2 Troubleshooting RadiusPer-Service Statistics Restrictions for Per-Service Statistics12-3 Monitoring the Parallel Express Forwarding Engine12-4 Figure A-1 SSG Example Topology SSG Configuration ExampleUsername cisco password 0 cisco clock timezone PST Example A-1 Cisco 10000 Router SSG ConfigurationSsg accounting interval 300 ssg profile-cache Full-duplex Peer default ip address pool SSG-POOL Exec-timeout 0 0 password lab SSG Implementation Notes SSG Feature Implementation NotesMpls Also see the Restrictions for SSG TCP Redirect section on OL-4387-02 GL-1 O S S a R YGL-2 GL-3 GL-4 GL-5 GL-6 IN-1 D EIN-2 DSL G-1IN-3 ISP G-2 L2TPIN-4 RadiusIN-5 Reauthorizing prepaidIN-6 TCPIN-7 VRF G-5 VSAIN-8
Top Page Image Contents