[cisco-bba] Redirection to WWW determined by AVP

Mark Tohill Mark at u.tv
Wed Jul 13 04:43:25 EDT 2005


Thanks for reply.

I think we'll definitely give your first option a go.

Seems fairly simple to implement.

BTW, is your first suggestion Policy-Based Routing or does it just do
something similar?


-----Original Message-----
From: Ian Henderson [mailto:ianh at chime.net.au] 
Sent: 10 July 2005 06:29
To: Mark Tohill
Cc: cisco-bba at puck.nether.net
Subject: Re: [cisco-bba] Redirection to WWW determined by AVP

On Fri, 8 Jul 2005, Mark Tohill wrote:

> Thought that this would be moving towards Policy-Based-Routing,
> on source rather than destination. Is this a possibility, or is their
> smarter way to implement this via RADIUS?

Assign the users you wish to redirect a block of RFC1918 address space
when they login. This address space is policy-routed to your 'playpen'
machine. This is how we do it for customers who are suspended or have to
change their dial number or similar.

access-list 98 remark *** Playpen
access-list 98 permit
route-map PLAYPEN permit 5
 match ip address 98
 set ip next-hop
route-map PLAYPEN permit 20

The next hop can either be your web server, or a tunnel towards a router
on the same subnet.

The only drawback to this approach is the customer has to disconnect to
get 'real' Internet access once they're done paying their bill/agreeing
the T&C's/etc.

Other suggestions include:

- Use a VRF with a different default route. You'd still need the
  connected web server, or a tunnel to it, or MPLS to get traffic to go
  the right direction.

- Investigate Cisco's SSG stuff. I only know Marketing-speak about it,
  apparently it does exactly what you're after. Multiple services are
  defined ('Internet', 'Playpen', 'Free Gaming only', etc). RADIUS
  authenticates the user when they want to access each service (defined
  IP address or interface) giving access based on business rules. So if
  understand the whole thing correctly, you could put all users by
  in the 'Playpen' service, then only let the signed up customers access
  anything else.

- If you already transparently cache users, intercept them here using an
  LDAP lookup or similar.


- I.

Ian Henderson, CCIE #14721
Senior Network Engineer

iiNet Limited
Chime Communications Pty Ltd

More information about the cisco-bba mailing list