Cisco Systems OL-4387-02 manual Redirection for Unauthorized Services, 10-2, group-name

Chapter 10 SSG TCP Redirect

The SSG TCP Redirect feature always sends redirected packets to a captive portal group that consists of one or more servers. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. For upstream packets, SSG modifies the destination IP address and TCP port to reflect the destination captive portal. For downstream packets, SSG returns the source IP address and port to the original packet’s destination. SSG uses the same redirect server if multiple TCP sessions from the same user are redirected. When the TCP session terminates or is idle for more than 60 seconds, SSG clears translations of packets made before being sent to the captive portal. In host-key mode with overlapping user IP addresses, redirection works only for host-keyed servers.

Note This feature applies only to non-PPP users. PPP users are always authenticated as part of the PPP negotiation process. PPP users logging off from SESM are also redirected.

The following describes the behavior of redirection for unauthorized users:

•If a user is subject to redirection or captivation, then packets from the user that match the protocol and ports configured as the redirection and captivation filter are sent to SESM. If the user packet does not match the filter, SSG drops the packet.

•SSG drops all packets to the user, unless the packet arrives from the SESM or the Open Garden network.

Redirection for Unauthorized Services

Redirection for unauthorized services redirects TCP sessions from authenticated users who have not been authorized to access service networks. SSG TCP Redirect redirects the packets to a captive portal, such as SESM. SESM can then prompt for the service logon.

SSG can redirect unauthorized TCP sessions for different networks to different servers. For network-based redirection, a list of networks are used for unauthorized service redirect. The network list is associated with a group of servers. Only one network list can be associated with a server group.

The server group can also be associated with a port or a list of ports. Servers handle particular captive portal applications as defined by the port that they use. TCP sessions redirected to servers can be restricted based on a port or port list. A port list defines a named list of interesting destination TCP ports. The port list is associated with a server group and is used to restrict the applications redirected to a server group. Only one port list or port can be associated with a server group.

If none of the destination networks matches the networks in the network list, you can set up a default server group to receive redirected packets by using the redirect unauthorized-servicecommand.

[no] redirect unauthorized-service [destination network-list network-listname]to

group-name

SSG TCP Redirect also restricts access to certain networks that are part of another authorized service. For example, in Figure 10-1the user is allowed to access ServiceA. IPTVService is part of ServiceA, but the user is not authorized to access IPTVService. SSG redirects TCP sessions from the user to IPTVService (10.1.1.1/32), but allows access to anywhere else in ServiceA (10.0.0.0/8).

Cisco 10000 Series Router Service Selection Gateway Configuration Guide