The captive portal page cannot be displayed until the users traffic is captured and redirected to Extreme Access Control. Redirection for use with captive portal occurs when a user accesses the network to go to the internet or other resource regardless of media used.
In order for redirection to occur the network must be able to identify a guest users traffic, assign this traffic a policy that triggers redirection, and once redirected and the captive portal process has completed to remove it from the policy that triggers redirection to allow normal flow of traffic.
General Flow required in all redirection environments:
- Authenticate user and assign "Unregistered" policy
- "Unregistered" policy causes redirection to occur (Multiple redirection methods)
- User registers to portal
- Extreme Access Control re-authenticates user
- User authenticates to receive a policy other than "Unregistered" that allows user traffic to their allocated resources
- Policy Based Routing using ToS rewrite
How To Configure EOS and EXOS Switch to Rewrite ToS
What are the "Unregistered" Role rules required for PBR redirection on the EWC for captive portal
How to configure PBR on EXOS or EOS switches for NAC integration
How to Configure a Route-Map to Redirect Traffic marked with a ToS value on a Cisco Enterprise Switch/Router
Compatible platforms: PBR must be handled by device capable of PBR configuration (Exos, Eos, or 3rd party), edge device must support ToS rewrite (Identifi, Exos, Eos, 3rd party)
User traffic is assigned an "Unregistered" policy that is configured to add a DSCP value to web traffic (Typically cs2, 0x40) where the policy is applied. In a wired environment this would be the physical switch port. In a wireless environment this would be either the AP, or the Controller based on deployment. (B@AP, B@EWC without AP filtering)
The traffic is then forwarded by normal mechanisms until it is processed by a router interface that is configured for Policy Based Routing. The PBR enabled interfaces looks for the CS2 marking within the layer 3 header on the packet to identify it as traffic to be redirected, and then forwards the packet according to the "Next Hop" configured within the route map configuration.
Note: PBR does a route table lookup to attempt to send it to the next hop and does not rewrite the destination IP address, it modifies the destination MAC address to the next hop router (if remote) or Extreme Access Control server (if network is directly connected). If the destined network is not directly connected the packet will be forwarded to another router based on the routing table. If this next hop router is not configured for PBR that router will process the packet as is, most likely matching the default route to the internet and may cause a routing loop. If your Extreme Access Control network is multiple hops away each hop will need to be configured for PBR in order to get it to the destined network.
Do Route-Maps Need to be Configured on All Routers in the Datapath to Redirect Traffic to a Content Filter or the Default Portal in NAC
Note: An EOS switch cannot be used to rewrite the ToS and redirect the packet with a route-map simultaneously, so the device rewriting ToS must be different than the one redirecting the traffic with a route-map.
- External Captive Portal
IP address of EAC on port 80, 8080
IP address of the B@HWC topology
and must NOT allow port 80, 8080 in order for redirection to occur.
Note: If the canned "Unregistered" profile on NAC is not used the NAC MUST return "Login-lat-port" attribute of "0" to be functional
Note: Client autologin settings only affect external captive portal mode
- Proxy DNS
How To Redirect Traffic to NAC Using Proxy DNS
Proxy DNS requires turning on the DNS Proxy service in Extreme Access Control (See above link). In this configuration Extreme Access Control will respond to all DNS requests that are not included in the "Allowed URLs" settings with it's own IP address. Unregistered clients that connect must be allowed to communicate to EAC on port 53, and not allowed to contact a real DNS server during the Unregistered portion of captive portal registration. EAC will tell the client that it is the web address they are looking for and capture their web traffic. After captive portal registration the client must be moved into a new policy that DOES NOT allow DNS traffic to be allowed to the EAC, or they will be stuck in the captive portal.
DHCP Server MUST provide two DNS server addresses. One of a real production DNS as the primary, and the second the NAC with DHCP proxy services turned on
Once DNS Proxy is turned on the policy roles must have the following components:
MUST NOT allow connectivity to the real production DNS server
MUST have all DNS requests from clients only point to the EAC with DNS proxy services enabled
"Registered" role (Provided after Registration)
MUST NOT allow connectivity to the EAC with DNS Proxy services enabled
MUST allow connectivity to the production DNS server
- Cisco Wireless Lan Controller with AV-PAIR URL method
If supported the Cisco WLC can provide redirection capabilities with the application of a specific URL in an AVP supplied by the EAC
Configure NAC RADIUS Return Attributes For Captive Portal Redirect On Cisco Wireless Controller