Table of Contents
Advertisement
The SSG TCP Redirect feature always sends redirected packets to a captive portal group that consists of
one or more servers. SSG selects one server from the group in a round-robin fashion to receive the
redirected packets. For upstream packets, SSG modifies the destination IP address and TCP port to
reflect the destination captive portal. For downstream packets, SSG returns the source IP address and
port to the original packet's destination. SSG uses the same redirect server if multiple TCP sessions from
the same user are redirected. When the TCP session terminates or is idle for more than 60 seconds, SSG
clears translations of packets made before being sent to the captive portal. In host-key mode with
overlapping user IP addresses, redirection works only for host-keyed servers.
Note
This feature applies only to non-PPP users. PPP users are always authenticated as part of the
PPP negotiation process. PPP users logging off from SESM are also redirected.
The following describes the behavior of redirection for unauthorized users:
•
•
Redirection for Unauthorized Services
Redirection for unauthorized services redirects TCP sessions from authenticated users who have not
been authorized to access service networks. SSG TCP Redirect redirects the packets to a captive portal,
such as SESM. SESM can then prompt for the service logon.
SSG can redirect unauthorized TCP sessions for different networks to different servers. For
network-based redirection, a list of networks are used for unauthorized service redirect. The network list
is associated with a group of servers. Only one network list can be associated with a server group.
The server group can also be associated with a port or a list of ports. Servers handle particular captive
portal applications as defined by the port that they use. TCP sessions redirected to servers can be
restricted based on a port or port list. A port list defines a named list of interesting destination TCP ports.
The port list is associated with a server group and is used to restrict the applications redirected to a server
group. Only one port list or port can be associated with a server group.
If none of the destination networks matches the networks in the network list, you can set up a default
server group to receive redirected packets by using the redirect unauthorized-service command.
[no] redirect unauthorized-service [destination network-list network-listname ] to
group-name
SSG TCP Redirect also restricts access to certain networks that are part of another authorized service.
For example, in
but the user is not authorized to access IPTVService. SSG redirects TCP sessions from the user to
IPTVService (10.1.1.1/32), but allows access to anywhere else in ServiceA (10.0.0.0/8).
Cisco 10000 Series Router Service Selection Gateway Configuration Guide
10-2
If a user is subject to redirection or captivation, then packets from the user that match the protocol
and ports configured as the redirection and captivation filter are sent to SESM. If the user packet
does not match the filter, SSG drops the packet.
SSG drops all packets to the user, unless the packet arrives from the SESM or the Open Garden
network.
Figure 10-1
the user is allowed to access ServiceA. IPTVService is part of ServiceA,
Chapter 10
SSG TCP Redirect
OL-4387-02
Advertisement
Table of Contents
