Reset Search
 

 

Article

Redirection mechanisms used for captive portal deployment

« Go Back

Information

 
TitleRedirection mechanisms used for captive portal deployment
Objective
The following article explains the methods to redirect traffic to an Extreme Access Control appliance for use with a captive portal deployment.When a switch learns the  MAC address the user  is Unauthenticated  and NAC assigns  the user an Unregistered Policy and the administrator  can choose  one of four ways  to redirect the traffic to the NAC.
     

1.  ToS re-write with  policy based routing
      Two  step process where a switch or  wireless controller rewrite the TOS of the packet and a router  upstream is configured to redirect traffic marked with that ToS to the NAC.
      This is the most secure method  because the packet can be controlled at each router.

2.  External captive portal  Web redirect Wireless controller  intercepts http and Https traffic and sends  it to the  NAC. 
     This is less secure than route-map with PBR because there is no control over how the packet is directed after it leaves the wireless controller.

    Wired switches do not support external captive portal.

3.  Proxy DNS
      Configuring a client to use the NAC server for DNS with a backup DNS server.
      This is the least secure because it requires the user to configure the NAC as his primary DNS and this can be changed by the user without the administrator’s knowledge.

4.  Configuring a Cisco Wireless Controller using the AV-Pair URL method
      When there is a Cisco Wireless controller that supports the AV-Pair method:
 
Environment
  • Extreme Access Control/NAC

  • Captive Portal

  • EOS

  • EXOS

    • Identifi

Procedure

Redirection Summary:
The captive portal page cannot be displayed until the users  traffic is captured and redirected to Extreme Access Control. Redirection for use with captive portal occurs w
hen a user accesses the network  to go to the internet or other resource regardless of media used.

In order for redirection to occur the network must be able to identify a guest users traffic, assign this traffic a policy that triggers redirection, and once redirected and the captive portal process has completed to remove it from the policy that triggers redirection to allow normal flow of traffic.

General Flow required in all redirection environments: 

  • Authenticate user and assign "Unregistered" policy
  • "Unregistered" policy causes redirection to occur (Multiple redirection methods)
  • User registers to portal
  • Extreme Access Control re-authenticates user
  • User authenticates to receive a policy other than "Unregistered" that allows user traffic to their allocated resources 

Redirection Mechanisms:
  1. Policy Based Routing using ToS rewrite
How To Configure EOS and EXOS Switch to Rewrite ToS
What are the "Unregistered" Role rules required for PBR redirection on the EWC for captive portal
How to configure PBR on EXOS or EOS switches for NAC integration
How to Configure a Route-Map to Redirect Traffic marked with a ToS value on a Cisco Enterprise Switch/Router
Compatible platforms: PBR must be handled by device capable of PBR configuration (Exos, Eos, or 3rd party), edge device must support ToS rewrite (Identifi, Exos, Eos, 3rd party)

User traffic is assigned an "Unregistered" policy that is configured to add a DSCP value to web traffic (Typically cs2, 0x40) where the policy is applied. In a wired environment this would be the physical switch port. In a wireless environment this would be either the AP, or the Controller based on deployment. (B@AP, B@EWC without AP filtering)

The traffic is then forwarded by normal mechanisms until it is processed by a router interface that is configured for Policy Based Routing. The PBR enabled interfaces looks for the CS2 marking within the layer 3 header on the packet to identify it as traffic to be redirected, and then forwards the packet according to the "Next Hop" configured within the route map configuration.

Note: PBR does a route table lookup to attempt to send it to the next hop and does not rewrite the destination IP address, it modifies the destination MAC address to the next hop router (if remote) or Extreme Access Control server (if network is directly connected). If the destined network is not directly connected the packet will be forwarded to another router based on the routing table. If this next hop router is not configured for PBR that router will process the packet as is, most likely matching the default route to the internet and may cause a routing loop. If your Extreme Access Control network is multiple hops away each hop will need to be configured for PBR in order to get it to the destined network.
Do Route-Maps Need to be Configured on All Routers in the Datapath to Redirect Traffic to a Content Filter or the Default Portal in NAC

Note: A switch cannot be used to  rewrite the ToS and redirect the packet with a a route-map simultaneously, so the device  rewriting ToS must be  different than the one redirecting the traffic with a route-map.
 

  1. External Captive Portal 
Compatible platform: Identifi Wireless Controller
How To Redirect Client Traffic to NAC using Web Redirect / External Captive Portal

The Extreme Wireless Controller and utilize DNS and web traffic in a B@HWC, or B@AP (new feature, newer code) environment to re-write the destination IP address of web traffic to the IP address of the Extreme Access Control Server. 

The Unregistered policy must at least allow: 

IP address of EAC on port 80, 8080
IP address of the B@HWC topology
DNS
DHCP

and must NOT allow port 80, 8080 in order for redirection to occur. 

 

Note: If the canned "Unregistered" profile on NAC is not used the NAC MUST return "Login-lat-port" attribute of "0" to be functional
Note: Client autologin settings only affect external captive portal mode

  1. Proxy DNS
How To Redirect Traffic to NAC Using Proxy DNS

Proxy DNS requires turning on the DNS Proxy service in Extreme Access Control (See above link). In this configuration Extreme Access Control will respond to all DNS requests that are not included in the "Allowed URLs" settings with it's own IP address. Unregistered clients that connect must be allowed to communicate to EAC on port 53, and not allowed to contact a real DNS server during the Unregistered portion of captive portal registration. EAC will tell the client that it is the web address they are looking for and capture their web traffic. After captive portal registration the client must be moved into a new policy that DOES NOT allow DNS traffic to be allowed to the EAC, or they will be stuck in the captive portal. 

DHCP Server MUST provide two DNS server addresses. One of a real production DNS as the primary, and the second the NAC with DHCP proxy services turned on

Once DNS Proxy is turned on the policy roles must have the following components: 

"Unregistered" role: 

MUST NOT allow connectivity to the real production DNS server
MUST have all DNS requests from clients only point to the EAC with DNS proxy services enabled

"Registered" role (Provided after Registration)

MUST NOT allow connectivity to the EAC with DNS Proxy services enabled
MUST allow connectivity to the production DNS server

  1. Cisco Wireless Lan Controller with AV-PAIR URL method
If supported the Cisco WLC can provide redirection capabilities with the application of a specific URL in an AVP supplied by the EAC

Configure NAC RADIUS Return Attributes For Captive Portal Redirect On Cisco Wireless Controller
 

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255