Chapter 10 Ssg Tcp Redirect; Redirection For Unauthenticated Users - Cisco OL-4387-02 Configuration Manual

Router service selection gateway configuration guide
Table of Contents

Advertisement

SSG TCP Redirect
The SSG TCP Redirect feature redirects certain user packets to an alternative location that can handle
the packets in a suitable manner. This feature works in conjunction with the SESM web interface. SSG
TCP Redirect forces subscribers to authenticate before accessing the network or specific services and
ensures that subscribers are only allowed to access the services that the service provider wants them to.
The SSG TCP Redirect feature always sends redirected packets to a captive portal group. Any server that
is programmed to respond to the redirected packets can be a captive portal. A captive portal group
consists of one or more servers. SSG TCP Redirect identifies a captive portal group by its unique name.
Each server in a captive portal group is identified by its IP address and TCP port. SSG selects one server
from the group in a round-robin fashion to receive the redirected packets. Servers can be in the SSG Open
Garden or default network.
If SESM is used as a captive portal, unauthenticated users can be sent automatically to the SESM logon
page when they start a browser session. Captive portal applications can also redirect to service logon
pages, advertising pages, and message pages. The SESM captive portal application can also capture a
URL in a user request and redirect the browser to the originally requested URL after successful
authentication.
The SSG feature does not require that you configure all service definitions manually, using the command
line interface (CLI). Some, and possibly all service definitions, can come from RADIUS. The download
of definitions is triggered when a user attempts to send a packet to a network that is not defined in the
SSG VRF table. If this occurs and redirection is enabled, SSG redirects the packet to SESM, which then
triggers RADIUS to download the service definition. SSG forwards subsequent packets without
redirection.
The Cisco 10000 series router supports the following types of redirection:

Redirection for Unauthenticated Users

Redirection for unauthenticated users redirects packets from a user if the user has not authorized with
the service provider. When an unauthorized subscriber attempts to connect to a service on a TCP port
(for example, to www.cisco.com), SSG TCP Redirect redirects the packet to the captive portal (SESM
or a group of SESM devices). SESM issues a redirect to the browser to display the logon page. The
subscriber logs in to SESM and is authenticated and authorized. SESM then presents the subscriber with
a personalized home page, the service provider home page, or the original URL.
OL-4387-02
Redirection for Unauthenticated Users, page 10-1
Redirection for Unauthorized Services, page 10-2
Initial Captivation, page 10-3
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
C H A P T E R
10
10-1

Advertisement

Table of Contents
loading

This manual is also suitable for:

10000 series

Table of Contents