Captive redirect and HTTPS flows redirection

The captive redirect HTTP redirect policy can be optionally configured to redirect HTTPS sessions in addition to HTTP to a pre-defined redirect landing page, typically the captive-portal URL in the context of a WiFi network. This capability is particularly useful when the router is used to provide a captive-portal type of access, as it allows the operator to improve the user experience by redirecting the subscriber’s web browser sessions to the needed captive-portal landing page when the user first connects to the network using HTTPS instead of HTTP.

Before the introduction of this feature, users opening their web browsers to an HTTPS URL when first connecting to a new Wi-Fi network and expecting to be redirected to a captive portal were instead presented with an error page automatically generated by the web browser because the session was dropped or reset by the network, therefore ultimately preventing the user from connecting. Most non-technical users connecting to a captive-portal network may not know the difference between HTTP and HTTPS when it comes to login/redirection, and a number of subscribers may not connect or may get frustrated trying multiple different links before a successful Wi-Fi authentication.

When the system is configured for captive-redirect redirect-https, it terminates transport layer security (TLS) TCP sessions in the ISA-AA cards and return a self-signed certificate back to the user. Upon the user acceptance of the security warning generated by the web browser, the web session then automatically redirects to the configured captive-portal landing page.

Captive redirect policy supports redirection for HTTP, HTTPS, HTTP2, SPDY, and TCP Fast Open connections.

A session-filter is used to define the criteria for permitting or redirecting flows using the captive redirect HTTP redirect policy. Typically the operator needs to allow UDP on port 53 for DNS and they can optionally allow other content based on IP address, port number, IP prefix list, or DNS IP cache therefore allowing specific on-net of off-net applications through the captive redirect policy.

To configure the system for captive redirect HTTP redirect the operator needs to:

Use the following CLI syntax to create a captive redirect HTTP redirect policy:

config>app-assure>group# http-redirect <redirect-name> [create]
        captive-redirect
            vlan-id <service-port-vlan-id>
            no vlan-id
        description <description-string>
        no description
        [no] redirect-https
        redirect-url <redirect-url>
        no redirect-url
        [no] shutdown
        [no] tcp-client-reset
        template <template-id> 
        no template
    no http-redirect <redirect-name>

The following example displays a typical configuration for a session filter user in the context of captive redirect:

A:7750# configure application-assurance group 1:1 create 
A:7750>config>app-assure>group# info 
----------------------------------------------
            session-filter "wifi-unauthenticated" create
                default-action deny
                entry 5 create
                    match
                        ip-protocol-num udp
                        dst-port eq 53
                    exit
                    action permit
                exit
                entry 10 create
                    match
                        dst-ip dns-ip-cache "whitelist"
                    exit
                    action permit
                exit
                entry 15 create
                    description "Allow traffic to the redirect landing page server"
                    match
                        ip-protocol-num tcp
                        dst-port eq 80
                        dst-ip 172.16.70.100/32
                    exit
                    action permit
                exit
                entry 20 create
                    match
                        ip-protocol-num tcp
                    exit
                    action http-redirect "redirect-portal"
                exit
            exit
----------------------------------------------

The following example displays a typical configuration for the AA interface used by the captive redirect HTTPS redirect policy for ESM Subscribers (DSM does not require the configuration of the AA Interface):

A:7750# configure service ies 1 customer 1 create 
A:7750>config>service>ies# info 
----------------------------------------------
            aa-interface "aa-if-captive-redirect-isa_1-2" create
                description "AA Interface for ISA-AA card 1/2"
                address 172.16.3.1/31
                sap 1/2/aa-svc:20 create
                    no shutdown
                exit
                no shutdown
            exit
----------------------------------------------

The following example displays a typical configuration for the HTTPS redirect policy for ESM Subscribers (DSM does not require the configuration of the VLAN ID):

A:7750# configure application-assurance group 1 
A:7750>config>app-assure>group>http-redir# info 
----------------------------------------------
                template 5
                tcp-client-reset
                redirect-https
                redirect-url "http://172.16.70.100/Redirect/redirect-
portal.html?RequestedURL=$URL"
                captive-redirect
                    vlan-id 20
          exit
                no shutdown
----------------------------------------------