Captive Portal Redirection

Captive Portal Redirection uses HTTP redirection to force a client‘s web browser to be redirected to a particular administrative web page. You can use this feature for such web-based purposes as:

Captive Portal Redirection is an extension of the ONEPolicy feature. You can configure policy roles that can force redirection of HTTP traffic by specifying a web redirection class index that associates it with up to two redirection servers. The HTTP traffic to potentially redirect is identified based on a destination captive portal server absolute URL address containing an IPv4 address, TCP port, and path. For traffic that is placed into one of these policy roles (through authentication or policy admin-profile rules) actions are taken based upon the contents of the policy profile.

If the incoming traffic is on the configured L4 port and is not destined for the configured captive portal server IP, the switch causes an HTTP redirect message (code 307) to be sent back to the client. If the incoming traffic is destined for the configured captive portal server IP, or it is not on one of the configured listening L4 ports, the traffic is handled according to the rest of the policy role configuration.

Configuring this feature occurs through the etsysPolicyProfileMIB and the ONEPolicy command set. There are two tables in the MIB, one that allows configuration of the listening ports and one that allows configuration of the captive portal servers. You can configure up to three ports on which ONEPolicy listens for client traffic that is (potentially) subject to HTTP redirection. A URL that explicitly identifies the server by an IPv4 address, TCP port, and path is configured along with the ports on which the Captive Portal feature listens for client traffic (for example: configure policy captive-portal listening 80,8080).

You can configure up to ten web-redirect groups of two captive portal servers. They can be used to redirect traffic in different roles to different servers. These web-redirect groups are identified by associating a web redirection class index with the server ID. The policy roles used for captive portal redirection each have a non-zero web redirection class index configured (for example, configure policy profile 1 web-redirect 5). The default captive portal web redirection class index for any given role (profile) is 0, or unset. To enable captive portal, there must be a role defined that has a valid captive portal web redirection class index with a value between 1–10.

In addition to the captive portal configuration, this policy role should also have rules to handle the traffic that is not handled by the captive portal web redirection.
Note

Note

When there are two servers configured in a web-redirect, the switch uses the following algorithm to pick which server to use for redirection:

((Last byte of the client's source MAC address)%(numServers)) + 1

For example, (mac = 00:00:00:00:00:03) and where numServers is 2. (0x03%2) + 1 = 2 (This MAC uses server 2.)

Note

Note

Captive portal does not work with tagged frames.
Note

Note

HTTPS redirection is not supported in Captive Portal redirection.

Redirection to the portal does not happen if the user (guest-user or unauthenticated user) tries to connect to an HTTPS website. This feature only handles HTTP traffic. However, you can configure redirection to a captive portal URL based on HTTPS.

If not specified to do otherwise, ONEPolicy programs its captive portal-related rules outside of the reserved ACL rule space for ONEPolicy. This results in additional ACL slice usage. Starting with ExtremeXOS 30.4, you can specify that these rules are programmed within the already reserved ACL rule space at the expense of IPv4 rule capacity (see Configuring Policy Roles and Related Functionality).

For information about configuring Captive Portal Redirection, see Setting Up Captive Portal Redirection.

For an example Captive Portal Redirection configuration, see Captive Portal Redirection Example.