Captive Portal Redirection

Captive Portal Redirection uses HTTP redirection to force a client‘s web browser to be redirected to a particular administrative web page. You can use this feature for authentication purposes (user login and password), payment (for example, at an airport hotspot), or use-policy enforcement (installing necessary software, agreeing to terms of service (TOS), etc.).

Captive Portal Redirection is an extension of the ONEPolicy feature. Policy roles can be configured to force redirection of HTTP traffic by specifying a web redirection class index that corresponds to a list of potential redirection servers (captive portal server IP and TCP port numbers identifying HTTP traffic). For traffic that is placed into one of these policy roles (through authentication or policy admin-profile rules), certain actions are taken.

If the incoming traffic is on the configured L4 port and is not destined for the configured captive portal server IP, the switch causes an HTTP redirect message (code 307) to be sent back to the client. If the incoming traffic is destined for the configured captive portal server IP, or it is not on one of the configured listening L4 ports, the traffic is handled according to the rest of the policy role configuration.

Configuring this feature occurs through the etsysPolicyProfileMIB and the ONEPolicy command set. There are two tables in the MIB, one that allows configuration of the listening ports and one that allows configuration of the captive portal servers. You have the option of setting up to three ports on which to listen (for example: configure policy captive-portal listening 80,8080). These are the ports on which ONEPolicy listens for client traffic that is (potentially) subject to HTTP redirection. You can configure ten groups of two captive portal servers. They can be used to redirect traffic in different roles to different servers. These groups (indicated by a web redirection class index) include the server indices that correlate to an IP/socket pair and an enabled status for each server (for example, configure policy captive-portal web-redirect 5 server 1 url 111.111.111.11:1234 enable), as well as the ports (from the configured pool) on which to listen for client traffic.

The policy roles used for captive portal redirection each have a non-zero web redirection class index configured (for example, configure policy profile 1 web-redirect 5). The default captive portal web redirection class index for any given role (profile) is 0, or unset. To enable captive portal, there must be a role defined that has a valid captive portal web redirection class index. In addition to the captive portal configuration, this policy role should also have rules to handle the traffic that would not be handled by the captive portal web redirection.

When there are two servers configured in a “web-redirect,” the switch uses the following algorithm to pick which server to use for redirection:

((Last byte of the client's source MAC address)%(numServers)) + 1

For example, (mac = 00:00:00:00:00:03) and where numServers is 2. (0x03%2) + 1 = 2 (This MAC uses server 2.)

For information about configuring Captive Portal Redirection, see Setting Up Captive Portal Redirection.