C H A P T E R 10

SSG TCP Redirect

The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with the SESM web interface. SSG TCP Redirect forces subscribers to authenticate before accessing the network or specific services and ensures that subscribers are only allowed to access the services that the service provider wants them to.

The SSG TCP Redirect feature always sends redirected packets to a captive portal group. Any server that is programmed to respond to the redirected packets can be a captive portal. A captive portal group consists of one or more servers. SSG TCP Redirect identifies a captive portal group by its unique name. Each server in a captive portal group is identified by its IP address and TCP port. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. Servers can be in the SSG Open Garden or default network.

If SESM is used as a captive portal, unauthenticated users can be sent automatically to the SESM logon page when they start a browser session. Captive portal applications can also redirect to service logon pages, advertising pages, and message pages. The SESM captive portal application can also capture a URL in a user request and redirect the browser to the originally requested URL after successful authentication.

The SSG feature does not require that you configure all service definitions manually, using the command line interface (CLI). Some, and possibly all service definitions, can come from RADIUS. The download of definitions is triggered when a user attempts to send a packet to a network that is not defined in the SSG VRF table. If this occurs and redirection is enabled, SSG redirects the packet to SESM, which then triggers RADIUS to download the service definition. SSG forwards subsequent packets without redirection.

The Cisco 10000 series router supports the following types of redirection:

Redirection for Unauthenticated Users, page 10-1

Redirection for Unauthorized Services, page 10-2

Initial Captivation, page 10-3

Redirection for Unauthenticated Users

Redirection for unauthenticated users redirects packets from a user if the user has not authorized with the service provider. When an unauthorized subscriber attempts to connect to a service on a TCP port (for example, to www.cisco.com), SSG TCP Redirect redirects the packet to the captive portal (SESM or a group of SESM devices). SESM issues a redirect to the browser to display the logon page. The subscriber logs in to SESM and is authenticated and authorized. SESM then presents the subscriber with a personalized home page, the service provider home page, or the original URL.

Cisco 10000 Series Router Service Selection Gateway Configuration Guide

 

OL-4387-02

10-1

 

 

 

Page 63
Image 63
Cisco Systems OL-4387-02 manual SSG TCP Redirect, Redirection for Unauthenticated Users, 10-1