Cisco 10000 Series Internet Router Service Selection Gateway Configuration Guide
SSG TCP Redirect
Download this chapter
SSG TCP RedirectSSG TCP Redirect
Download the complete book
Cisco 10000 Series Router Service Selection Gateway Configuration GuideCisco 10000 Series Router Service Selection Gateway Configuration Guide (PDF - 1 MB)
give_us_feedback

Table Of Contents

SSG TCP Redirect

Redirection for Unauthenticated Users

Redirection for Unauthorized Services

Initial Captivation

Restrictions for SSG TCP Redirect

Prerequisites for SSG TCP Redirect

Configuration of SSG TCP Redirect

Configuration Considerations for SSG TCP Redirect

Configuring Port-Based Redirection for Unauthenticated Users

Limiting Redirection for Unauthenticated Users

Configuring SSG TCP Redirect

Configuration Examples for SSG TCP Redirect

Configuration Example for Server Groups

Configuration Example for Network Lists

Configuration Example for Port Lists


SSG TCP Redirect

The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle the packets in a suitable manner. This feature works in conjunction with the SESM web interface. SSG TCP Redirect forces subscribers to authenticate before accessing the network or specific services and ensures that subscribers are only allowed to access the services that the service provider wants them to.

The SSG TCP Redirect feature always sends redirected packets to a captive portal group. Any server that is programmed to respond to the redirected packets can be a captive portal. A captive portal group consists of one or more servers. SSG TCP Redirect identifies a captive portal group by its unique name. Each server in a captive portal group is identified by its IP address and TCP port. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. Servers can be in the SSG Open Garden or default network.

If SESM is used as a captive portal, unauthenticated users can be sent automatically to the SESM logon page when they start a browser session. Captive portal applications can also redirect to service logon pages, advertising pages, and message pages. The SESM captive portal application can also capture a URL in a user request and redirect the browser to the originally requested URL after successful authentication.

The SSG feature does not require that you configure all service definitions manually, using the command line interface (CLI). Some, and possibly all service definitions, can come from RADIUS. The download of definitions is triggered when a user attempts to send a packet to a network that is not defined in the SSG VRF table. If this occurs and redirection is enabled, SSG redirects the packet to SESM, which then triggers RADIUS to download the service definition. SSG forwards subsequent packets without redirection.

The Cisco 10000 series router supports the following types of redirection:

Redirection for Unauthenticated Users

Redirection for Unauthorized Services

Initial Captivation

Redirection for Unauthenticated Users

Redirection for unauthenticated users redirects packets from a user if the user has not authorized with the service provider. When an unauthorized subscriber attempts to connect to a service on a TCP port (for example, to www.cisco.com), SSG TCP Redirect redirects the packet to the captive portal (SESM or a group of SESM devices). SESM issues a redirect to the browser to display the logon page. The subscriber logs in to SESM and is authenticated and authorized. SESM then presents the subscriber with a personalized home page, the service provider home page, or the original URL.

The SSG TCP Redirect feature always sends redirected packets to a captive portal group that consists of one or more servers. SSG selects one server from the group in a round-robin fashion to receive the redirected packets. For upstream packets, SSG modifies the destination IP address and TCP port to reflect the destination captive portal. For downstream packets, SSG returns the source IP address and port to the original packet's destination. SSG uses the same redirect server if multiple TCP sessions from the same user are redirected. When the TCP session terminates or is idle for more than 60 seconds, SSG clears translations of packets made before being sent to the captive portal. In host-key mode with overlapping user IP addresses, redirection works only for host-keyed servers.

Note This feature applies only to non-PPP users. PPP users are always authenticated as part of the PPP negotiation process. PPP users logging off from SESM are also redirected.

The following describes the behavior of redirection for unauthorized users:

If a user is subject to redirection or captivation, then packets from the user that match the protocol and ports configured as the redirection and captivation filter are sent to SESM. If the user packet does not match the filter, SSG drops the packet.

SSG drops all packets to the user, unless the packet arrives from the SESM or the Open Garden network.

Redirection for Unauthorized Services

Redirection for unauthorized services redirects TCP sessions from authenticated users who have not been authorized to access service networks. SSG TCP Redirect redirects the packets to a captive portal, such as SESM. SESM can then prompt for the service logon.

SSG can redirect unauthorized TCP sessions for different networks to different servers. For network-based redirection, a list of networks are used for unauthorized service redirect. The network list is associated with a group of servers. Only one network list can be associated with a server group.

The server group can also be associated with a port or a list of ports. Servers handle particular captive portal applications as defined by the port that they use. TCP sessions redirected to servers can be restricted based on a port or port list. A port list defines a named list of interesting destination TCP ports. The port list is associated with a server group and is used to restrict the applications redirected to a server group. Only one port list or port can be associated with a server group.

If none of the destination networks matches the networks in the network list, you can set up a default server group to receive redirected packets by using the redirect unauthorized-service command. 

[no] redirect unauthorized-service [destination network-list network-listname] to 
group-name

SSG TCP Redirect also restricts access to certain networks that are part of another authorized service. For example, in Figure 10-1 the user is allowed to access ServiceA. IPTVService is part of ServiceA, but the user is not authorized to access IPTVService. SSG redirects TCP sessions from the user to IPTVService (10.1.1.1/32), but allows access to anywhere else in ServiceA (10.0.0.0/8).

Figure 10-1 Restricting Access to Networks within Authorized Services

The following describes the behavior of redirection for unauthorized services:

If a packet arrives from an unauthorized SSG user or it is destined to an unauthorized service, SSG redirects the packet if the packet matches the protocol and ports configured as the redirection filter. If the packet does not match the filter, SSG drops the packet.

If a packet arrives from an unauthorized service or is destined to an unauthorized SSG user, SSG drops the packet.

If a user's connection is subject to redirection or captivation, SSG redirects to SESM any packets from the connection that match the protocol and ports for redirection and captivation.

If packets from the connection do not match the protocol and ports configured as a filter, SSG drops the packets.

Initial Captivation

Initial captivation redirects certain packets from users for a specific period of time. After a user logs on, packets to certain TCP ports are redirected to a server for advertisements and branding. SSG captivates the user by redirecting all user packets to those TCP ports regardless of the destination address. Captivation is active for a specified duration, starting from the first redirected session.

If you configure initial captivation globally by using the CLI, captivation applies to all authenticated users. You can also enable initial captivation in the RADIUS user profile as an Account-Info attribute to override the CLI setting.

The user profile contains the following information for initial captivation:

Server group name

Note Use the CLI to configure the server group and associate a port or port list to the server group.

Duration of captivation

Service name (optional)

Note If you specify the optional service name, captivation activates only when logon to that service occurs.

Typically, if a service is connected, SSG forwards packets to a user and packets from a user even if the packets do not match the protocol and TCP ports specified for redirection. However, the behavior of initial captivation on the Cisco 10000 series router differs in the following ways:

When a packet arrives from an SSG user and the packet matches the protocol and TCP ports configured as the redirection filter, the packet is subject to initial captivation and is redirected. If the packet does not match the redirection filter, it is not subject to initial captivation and the packet is dropped.

When a packet arrives from a service destined for an SSG user that is subject to initial captivation, the packet is dropped.

Restrictions for SSG TCP Redirect

The SSG TCP Redirect feature has the following restrictions:

The server(s) defined in a server group must be globally routable.

Traffic from hosts with overlapping IP addresses can be redirected only to SESMs with port-bundle host keys.

When overlapping IP address support is enabled (the host key feature is enabled), a host can reach the SSG only by a particular interface on the router. All packets between the host and the SSG use this interface and you should not change the route between SSG and the host.

After you configure the servers in a group, the routes to those servers should not change. SSG TCP Redirect does not work if packets from servers that need to be redirected are received on a non-SSG interface.

TCP sessions that can remain idle for more than one minute are not supported.

Prerequisites for SSG TCP Redirect

Cisco SESM Release 3.1(1) or later is required to handle unauthenticated redirections. For other types of redirection, SESM Release 3.1.1 or later is required.

Configuration of SSG TCP Redirect

To configure SSG TCP Redirect, perform the following tasks:

Enable SSG TCP Redirect.

Define the captive portal server groups.

Specify the redirect server groups for unauthenticated user redirection.

Define network lists.

Define port lists.

Associate network and port lists with server groups.

Specify the default groups for captivation.

The following sections describe these tasks in more detail:

Configuration Considerations for SSG TCP Redirect

Configuring Port-Based Redirection for Unauthenticated Users

Limiting Redirection for Unauthenticated Users

Configuring SSG TCP Redirect

Configuration Considerations for SSG TCP Redirect

When you configure SSG TCP Redirect, consider the following:

Where to redirect—Determine the server group to which you want to redirect.

When to redirect—Determine if you want to redirect for unauthenticated, unauthorized, or initial packets.

What to redirect—Determine if you want to redirect by networks or ports, and then decide the networks to include in a network list and the ports to include in a port list.

Configuring Port-Based Redirection for Unauthenticated Users

To apply SSG TCP Redirect to unauthenticated users based on a TCP port, bind the unauthenticated user redirect server group to a port using the redirect port command in SSG redirect configuration mode.

Example 10-1 binds the server group named userRedirect1 to port 80 for unauthenticated user redirection.

Example 10-1 Binding a Server Group to a Port 

Router(config)# ssg tcp-redirect

Router(config-ssg-redirect)# server-group userRedirect1

Router(config-ssg-redirect-group)# server 10.0.1.4 8090

Router(config-ssg-redirect)# redirect unauthenticated-user to userRedirect1

Router(config-ssg-redirect)# redirect port 80 to userRedirect1

Limiting Redirection for Unauthenticated Users

To limit the number of TCP sessions from an unauthenticated user that are redirected to a particular server group, use the max-sessions command in the SSG redirect group configuration mode: 

server-group group-name

max-sessions host number

Example 10-2 limits the number of TCP sessions from user4. In this example, SSG redirects a maximum of 15 sessions from user4 to the server group named new-users1.

Example 10-2 Limiting Redirected TCP Sessions 

Router(config)# ssg tcp-redirect

Router(config-ssg-redirect)# server-group new-users1

Router(config-ssg-redirect-group)# server 10.0.1.4 8090

Router(config-ssg-redirect-group)# max-sessions user4 15

Configuring SSG TCP Redirect

To configure SSG TCP Redirect, use the following commands beginning in global configuration mode:

 
Command
Purpose

Step 1 

Router(config)# ip cef

Enables Cisco Express Forwarding (CEF).

Step 2 

Router(config)# ssg enable

Enables SSG functionality.

Step 3 

Router(config)# ssg tcp-redirect

Enables the SSG TCP Redirect feature.

Step 4 

Router(config-ssg-redirect)# server-group group-name


Router(config-ssg-redirect-group)# server ip-address

Defines the captive portal group.

Adds a server to a captive portal group.

Step 5 

Router(config-ssg-redirect)# redirect unauthenticated-user to group-name

Selects a captive portal group for redirection of traffic from unauthenticated users.

Step 6 

Router(config-ssg-redirect)# port-list port-listname


Router(config-ssg-redirect-port)# port port-number


Router(config-ssg-redirect)# redirect port port-number to group-name


Router(config-ssg-redirect)# redirect port-list port-listname to group-name

Defines a port list.

Adds a port to the port list.

Configures a TCP port for SSG TCP redirection.

Configures a TCP port list for SSG TCP redirection.

Step 7 

Router(config-ssg-redirect)# redirect captivate initial default group group-name duration seconds


Selects the default captive portal group for initial captivation of users upon initialization.

Step 8 

Router(config-ssg-redirect)# network-list network-listname


Router(config-ssg-redirect-network)# network ip-address

Defines a network list.

Adds a network IP address to the network list.

Step 9 

Router(config-ssg-redirect)# redirect unauthorized-service [destination network-list network-listname] to group-name

Specifies a list of destination IP networks to be redirected by the captive portal group.

For more detailed information, refer to the SSG TCP Redirect for Services, Release 12.2(4)B feature module.

Configuration Examples for SSG TCP Redirect

This section provides the following example configurations:

Configuration Example for Server Groups

Configuration Example for Network Lists

Configuration Example for Port Lists

For more configuration examples, refer to the SSG TCP Redirect for Services, Release 12.2(4)B feature module.

Configuration Example for Server Groups

Example 10-3 shows how to configure a server group for user, service, and initial captivation redirection. The server with IP address 10.0.1.4 is the captive portal for all three types of redirection. Port 8090 is used for user redirection; port 8094 is used for service redirection; and port 8091 is used for initial captivation.

Example 10-3 Defining a Captive Portal Server Group 

Router(config)# ssg enable

Router(config)# ssg tcp-redirect

Router(config-ssg-redirect)# server-group userRedirect

Router(config-ssg-redirect-group)# server 10.0.1.4 8090

Router(config-ssg-redirect-group)# server-group serviceRedirect1

Router(config-ssg-redirect-group)# server 10.0.1.4 8094

Router(config-ssg-redirect-group)# server-group initialCaptivate

Router(config-ssg-redirect-group)# server 10.0.1.4 8091

Configuration Example for Network Lists

Example 10-4 defines three network lists. The list named serviceNetwork1 includes network 10.1.1.0; the list named serviceNetwork2 includes network 10.2.2.0; and the list named serviceNetwork3 includes network 10.3.3.0.

Example 10-4 Defining Network Lists 

Router(config)# ssg tcp-redirect

Router(config-ssg-redirect)# network-list serviceNetwork1

Router(config-ssg-redirect-network)# network 10.1.1.0 255.255.255.0

Router(config-ssg-redirect-network)# network-list serviceNetwork2

Router(config-ssg-redirect-network)# network 10.2.2.0 255.255.255.0

Router(config-ssg-redirect-network)# network-list serviceNetwork3

Router(config-ssg-redirect-network)# network 10.3.3.0 255.255.255.0

Configuration Example for Port Lists

Example 10-5 shows how to configure a port list named ports for TCP redirection of HTTP packets and associate the port list to the server groups named serviceRedirect1 and initialCaptivate.

Example 10-5 Defining Port Lists 

Router(config)# ssg tcp-redirect

Router(config-ssg-redirect)# port-list ports

Router(config-ssg-redirect-port)# port 80

Router(config-ssg-redirect-port)# port 8080

Router(config-ssg-redirect-port)# port 443

Router(config-ssg-redirect-port)# exit

Router(config-ssg-redirect)# redirect port-list ports to serviceRedirect1

Router(config-ssg-redirect)# redirect port-list ports to initialCaptivate