[c-nsp] SSG and Initial Captivate feature

Francisco Rivas frivas at lanparty.cl
Mon Nov 22 14:45:58 EST 2004 

Hi,

I have a 7206vxr with IOS 12.3(10a), SSG enabled, with 2 FastEthernet
interfaces. On one of these interfaces, I have connected a pppoe client
(notebook running windows XP), and in the other one I have the uplink to
internet and the connection to the radius server (both of them tagged on
802.1q).
What I want to do, is to redirect the initial connection from the
browser (on the notebook) to a web page defined by me. For example, I
connect the pppoe client, then I open a browser, and whatever page that
I try to access, it gets redirected to a URL for 5 seconds, and then you
can go wherever you want.

I found the Initial Captivate feature on the SSG enabled IOS, and I've
set up a test lab to test it. I've set up the redirect part to one of my
servers, then I tried to connect with the pppoe client, and the redirect
worked without problems. But, when the redirect times out, I can't go
anywhere. If I use the "ssg pass-through" command, I can browse internet
without any problem, but the redirect doesn't work (as soon as I connect
using pppoe, I can go wherever I want without being redirected).

Anyone have done something similar to this?? I still don't know if this
will work without using the Cisco SESM solution, I just want the initial
redirect and I'll be happy...


So far, this is the running config with the non-working redirect:

Current configuration : 3456 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname LAB-R1
!
boot-start-marker
boot system disk0:c7200-g4js-mz.123-10a.bin
boot bootldr disk0:c7200-kboot-mz.123-10a.bin
boot-end-marker
!
logging snmp-authfail
enable secret 5 XXXXXXXXXXXXXXXXX
!
username admin privilege 15 password 0 XXXXXXX
aaa new-model
!
!
aaa group server radius RADIUS-DSL
 server 200.73.47.11 auth-port 1812 acct-port 1813
!
aaa authentication login default enable
aaa authentication ppp default group RADIUS-DSL
aaa authorization network default group RADIUS-DSL 
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name mydomain.com
ip name-server 216.241.0.133
ip name-server 216.241.0.151
!
ip cef
vpdn enable
!
vpdn-group DSL-Customers
 accept-dialin
  protocol pppoe
  virtual-template 1
 local name SSG
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ssg enable
ssg pass-through
ssg pass-through filter download tptfilter1 xxxxx
ssg default-network 200.73.47.8 255.255.255.248
ssg service-password xxxxx
ssg radius-helper auth-port 1645 acct-port 1646
ssg radius-helper key xxxxx
ssg next-hop download nht1 xxxx
ssg bind direction downlink Virtual-Template1
ssg tcp-redirect
 port-list ports
  port 80
  port 8080
 !
 server-group initialCaptivate
  server 200.73.47.10 80
 !
 redirect port-list ports to initialCaptivate
 !
 redirect captivate initial default group initialCaptivate duration 5
!
local-profile internet2
  attribute 26 9 251 "R0.0.0.0;0.0.0.0"
  attribute 26 9 251 "TX"
!

!
local-profile internet
  attribute 26 9 251 "R0.0.0.0;0.0.0.0"
!

!
local-profile mydomain.com
  attribute 26 9 251 "D216.241.0.133"
  attribute 26 9 251 "R216.241.0.0;255.255.224.0"
  attribute 26 9 251 "R200.73.0.0;255.255.192.0"
  attribute 26 9 251 "R200.73.64.0;255.255.224.0"
!

!
!
!
!
interface Loopback0
 description Loopback
 ip address 200.73.47.1 255.255.255.255
 no clns route-cache
!
interface FastEthernet0/0
 no ip address
 duplex full
 no cdp enable
 no clns route-cache
!
interface FastEthernet0/0.1
 encapsulation dot1Q 152
 ip address 216.241.1.33 255.255.255.192
 no cdp enable
!
interface FastEthernet0/0.2
 description Uplink Captive Portal
 encapsulation dot1Q 153
 ip address 216.241.11.206 255.255.255.252
 no cdp enable
!
interface FastEthernet0/0.3
 description Red Radius Server
 encapsulation dot1Q 8
 ip address 200.73.47.9 255.255.255.248
 no cdp enable
!
interface FastEthernet1/0
 description PPPoE Clients
 no ip address
 duplex full
 no cdp enable
 no clns route-cache
!
interface FastEthernet1/0.1
 description PPPoE Clients
 encapsulation dot1Q 95
 pppoe enable
 no cdp enable
!
interface Virtual-Template1
 mtu 1492
 ip unnumbered Loopback0
 peer default ip address pool pool1
 ppp authentication pap
 no clns route-cache
!
ip local pool pool1 200.73.47.128 200.73.47.139
ip local pool pool2 200.73.47.140 200.73.47.150
ip classless
ip route 0.0.0.0 0.0.0.0 216.241.11.205
no ip http server
!
!
!
ip access-list extended internet-in
 permit ip any any
ip access-list extended internet-out
 permit ip any any
no cdp run
!
!
!
radius-server host 200.73.47.11 auth-port 1812 acct-port 1813 key xxxxx
radius-server vsa send accounting
radius-server vsa send authentication
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password xxxxxxx
!
!
end

LAB-R1#


If I remove the line "ssg pass-through", the redirect works, but I can't
connect to anywhere after that.



The "tptfilter1" have this:
cisco-av-pair:
        ip:inacl#1=permit ip any any
        ip:outacl#1=permit ip any any
And it's being loaded without problems by the router:

LAB-R1(config)#ssg pass-through filter download tptfilter1 xxxxx
SSG default pass-through filter download succeeded.

LAB-R1(config)#
3d22h: SSG-EVN: DownloadProfile: getting profile for tptfilter1 from AAA

3d22h: SSG-CTL-EVN: GetUserAuthorInfo: idb is NULL
3d22h: RADIUS: Pick NAS IP for u=0x645F67E0 tableid=0 cfg_addr=0.0.0.0
3d22h: RADIUS: ustruct sharecount=1
3d22h: Radius: radius_port_info() success=1 radius_nas_port=1
3d22h: RADIUS/ENCODE: Best Local IP-Address 200.73.47.9 for
Radius-Server 200.73.47.11
3d22h: RADIUS(00000000): Send Access-Request to 200.73.47.11:1812 id
1645/43, len 74
3d22h: RADIUS:  authenticator B1 C9 EE F1 DE E0 1C E4 - 8D FB C5 D0 C2
E5 89 F4
3d22h: RADIUS:  NAS-IP-Address      [4]   6   200.73.47.9               
3d22h: RADIUS:  NAS-Port            [5]   6   0                         
3d22h: RADIUS:  NAS-Port-Type       [61]  6   Virtual                  
[5]
3d22h: RADIUS:  User-Name           [1]   12  "tptfilter1"
3d22h: RADIUS:  User-Password       [2]   18  *
3d22h: RADIUS:  Service-Type        [6]   6   Outbound                 
[5]
3d22h: RADIUS: Received from id 1645/43 200.73.47.11:1812,
Access-Accept, len 135
3d22h: RADIUS:  authenticator 2A 54 F1 16 F5 23 9C AE - 66 9B C5 96 66
25 4A 30
3d22h: RADIUS:  Vendor, Cisco       [26]  36  
3d22h: RADIUS:   Cisco AVpair       [1]   30  "ip:inacl#1=permit ip any
any"
3d22h: RADIUS:  Vendor, Cisco       [26]  37  
3d22h: RADIUS:   Cisco AVpair       [1]   31  "ip:outacl#1=permit ip any
any"
3d22h: RADIUS:  Service-Type        [6]   6   Outbound                 
[5]
3d22h: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255           
3d22h: RADIUS:  Class               [25]  30  
3d22h: RADIUS:   43 49 53 43 4F 41 43 53 3A 30 30 30 30 31 33 66 
[CISCOACS:000013f]
3d22h: RADIUS:   61 2F 63 38 34 39 32 66 30 39 2F 30             
[a/c8492f09/0]
3d22h: RADIUS: saved authorization data for user 645F67E0 at 645E4A9C
3d22h: Radius reply received:

3d22h: SSG-EVN: is_ip_standard_acl_def: ip:inacl#1=permit ip any any

3d22h: SSG-EVN: CreateACL: ACL (SSG ACL): Executing (permit ip any any)
        Created Upstream acl from it.

3d22h: SSG-EVN: is_ip_standard_acl_def: ip:outacl#1=permit ip any any

3d22h: SSG-EVN: CreateACL: ACL (SSG ACL): Executing (permit ip any any)
        Created Downstream acl from it.



Anyone can give me a light about this?? can this be done without
installing the SESM and the double authentication implied??? I just need
the initial captivate/redirect feature... If you need more information
about this (debug logs, etc etc etc), just ask :)



thanks a lot for your time!

--
--
Francisco Rivas Catalan
Senior Network Engineer
IFX Networks
francisco.rivas at ifxnw.cl
(56) 2 3744566

More information about the cisco-nsp mailing list