The captive redirect HTTP redirect policy can be optionally configured to redirect HTTPS sessions in addition to HTTP to a pre-defined redirect landing page, typically the captive-portal URL in the context of a WiFi network. This capability is particularly useful when the router is used to provide a captive-portal type of access, as it allows the operator to improve the user experience by redirecting the subscriber’s web browser sessions to the needed captive-portal landing page when the user first connects to the network using HTTPS instead of HTTP.
Before the introduction of this feature, users opening their web browsers to an HTTPS URL when first connecting to a new Wi-Fi network and expecting to be redirected to a captive portal were instead presented with an error page automatically generated by the web browser because the session was dropped or reset by the network, therefore ultimately preventing the user from connecting. Most non-technical users connecting to a captive-portal network may not know the difference between HTTP and HTTPS when it comes to login/redirection, and a number of subscribers may not connect or may get frustrated trying multiple different links before a successful Wi-Fi authentication.
When the system is configured for captive-redirect redirect-https, it terminates transport layer security (TLS) TCP sessions in the ISA-AA cards and return a self-signed certificate back to the user. Upon the user acceptance of the security warning generated by the web browser, the web session then automatically redirects to the configured captive-portal landing page.
Captive redirect policy supports redirection for HTTP, HTTPS, HTTP2, SPDY, and TCP Fast Open connections.
A session-filter is used to define the criteria for permitting or redirecting flows using the captive redirect HTTP redirect policy. Typically the operator needs to allow UDP on port 53 for DNS and they can optionally allow other content based on IP address, port number, IP prefix list, or DNS IP cache therefore allowing specific on-net of off-net applications through the captive redirect policy.
To configure the system for captive redirect HTTP redirect the operator needs to:
Create an http-redirect policy. If the ISA group aa-sub-scale mode is configured for residential or VPN, then configure the http-redirect policy for captive-redirect and associate the appropriate VLAN ID AA Interface (an aa-interface routable within the subscriber’s service must be created for each ISA-AA card in the system). If the ISA group aa-sub-scale mode is configured for DSM, then there is no need to associate the http-redirect policy to a VLAN ID and no need to create an AA Interface.
Create a session filter policy to allow at the minimum UDP on port 53. Additional traffic can be allowlisted based on a statically defined IP prefix list or a dynamic DNS IP cache policy. The redirect landing page should be configured using IP prefixes.
The last action of the session filter should be set to http-redirect the remaining flows using a predefined captive redirect HTTP redirect policy.
Use the following CLI syntax to create a captive redirect HTTP redirect policy:
config>app-assure>group# http-redirect <redirect-name> [create]
captive-redirect
vlan-id <service-port-vlan-id>
no vlan-id
description <description-string>
no description
[no] redirect-https
redirect-url <redirect-url>
no redirect-url
[no] shutdown
[no] tcp-client-reset
template <template-id>
no template
no http-redirect <redirect-name>
The following example displays a typical configuration for a session filter user in the context of captive redirect:
A:7750# configure application-assurance group 1:1 create
A:7750>config>app-assure>group# info
----------------------------------------------
session-filter "wifi-unauthenticated" create
default-action deny
entry 5 create
match
ip-protocol-num udp
dst-port eq 53
exit
action permit
exit
entry 10 create
match
dst-ip dns-ip-cache "whitelist"
exit
action permit
exit
entry 15 create
description "Allow traffic to the redirect landing page server"
match
ip-protocol-num tcp
dst-port eq 80
dst-ip 172.16.70.100/32
exit
action permit
exit
entry 20 create
match
ip-protocol-num tcp
exit
action http-redirect "redirect-portal"
exit
exit
----------------------------------------------
The following example displays a typical configuration for the AA interface used by the captive redirect HTTPS redirect policy for ESM Subscribers (DSM does not require the configuration of the AA Interface):
A:7750# configure service ies 1 customer 1 create
A:7750>config>service>ies# info
----------------------------------------------
aa-interface "aa-if-captive-redirect-isa_1-2" create
description "AA Interface for ISA-AA card 1/2"
address 172.16.3.1/31
sap 1/2/aa-svc:20 create
no shutdown
exit
no shutdown
exit
----------------------------------------------
The following example displays a typical configuration for the HTTPS redirect policy for ESM Subscribers (DSM does not require the configuration of the VLAN ID):
A:7750# configure application-assurance group 1
A:7750>config>app-assure>group>http-redir# info
----------------------------------------------
template 5
tcp-client-reset
redirect-https
redirect-url "http://172.16.70.100/Redirect/redirect-
portal.html?RequestedURL=$URL"
captive-redirect
vlan-id 20
exit
no shutdown
----------------------------------------------