Configuring Rule-Based Redirection

Rule-Based Redirection can be handled on a controller or on an AP. Support for Rule-based Redirection on the AP is limited to Firewall Friendly External Captive Portal.

Deciding how to configure HTTP Redirection depends on the type of traffic you are allowing and the default Access Control value you configure on the role. You must configure the policy rules in the following order:

• Allow policies
• Redirect policies (if using Rule-based Redirection)
• Deny policies.

You can configure five Allow policies or any combination of Allow and Deny policies on a single role. The following are ways to implement policy rules:

• Allow All Policy.

  If you opt to allow all traffic. You only need one policy rule indicating that all traffic is allowed.

  

  Allow All Policy Configuration

  
• Combination of Allow and Deny policies, allowing specific traffic.

  The following is an example of sample configuration:

  • The role allows the station to use DHCP, DNS (or ARP):
    • Access Control = Allow, Port = DNS
    • Access Control = Allow, Port = DHCP Client.
    • Access Control = Allow, Port = DHCP Server.
  • The role allows the station to communicate with the external captive portal server using HTTP or HTTPS.
    • Access Control = Allow, IP/subnet = IP of Captive Portal Server

    Then specify the Captive Portal Server on the VLAN Class of Service tab in the Redirection URL field. The Redirection URL can be provided as a URL, IP address, or host name if using L7 Host Name DNS support.

  • The role must allow the station to send traffic to the controller‘s IP address on the VLAN containing the station‘s traffic; therefore, one Allow policy must include the IP/subnet that corresponds to the VLAN ID. Depending on the Default Access Control value on the role, this can be the VLAN ID specified on the role or the VLAN ID specified during WLANS configuration.
    • When default Access Control = Allow, VLAN ID on the WLANS configuration is used.
    • When default Access Control = Contain to VLAN, the VLAN ID on the Role configuration is used.
    • Access Control = Allow, IP/subnet = Configured VLAN subnet.
• Deny All Policy.

  When opting to deny all traffic, you must first configure the 5 Allow policies to gather the parameters that direct the client to the FFECP. First configure the specific Allow policies, then configure the Deny All policy.

  

  Deny All Policy Configuration

  
• Redirect Policy
  • If Rule-based Redirection is enabled, configure at least one policy rule where the Access Control is set to HTTP Redirect.
  • If Rule-based Redirection is disabled, configure at least one policy rule where the Access Control is set to Deny.
  

  Note

  You cannot configure Captive Portal Redirection using IPv6 classifiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 .

For more information on configuring policy rules, see Understanding the Filter Rule Definition Dialog.