[c-nsp] PPPoE and HTTP Redirect

Charles Sprickman spork at bway.net
Sat Oct 3 12:11:16 EDT 2020

> On Oct 3, 2020, at 2:59 AM, Eugene Grosbein <eugen at grosbein.net> wrote:
> 03.10.2020 12:52, Scott Miller wrote:
>> Hello all, I’m looking for some recommendations.  I have a customer, an
>> ISP, who is doing PPPoE for residential and “some” smaller business
>> accounts.  PPPoE terminated on an ASR9010, DaloRadius for authentication
>> and IP assignments.  DaloRadius is configured for static IP per customer.
>> All that is working fine.  Recently, we enabled HTTP redirect on the 9010
>> because the customer wanted to try out a walled garden for past due
>> accounts.  So, past due accounts are handed a static 10.x.x.x IP, and
>> password changed.  Next time customer re-auth’s, they get the 10.x IP
>> because of the bad pass, and put into the HTTP redirect jail, and are
>> supposed to be redirected to a http site.  “Sometimes” http redirect works,
>> sometimes it doesn’t.  It seems as though it depends on the destination
>> address the end user is trying to go to.
>> At any rate, the ISP is wanting to investigate something else for PPPoE and
>> their walled garden.  Has anyone used anything else successfully for PPPoE
>> auth, and walled garden jail?  Something that is a bit more seamless?  The
>> ISP has their own home-brewed billing/account software, and just wants a
>> redirect to their landing page to work each time when a customer is
>> disconnected for non-pay.  I have not done a lot with PPPoE myself, so
>> reaching out for possible 3rd party solutions that can do all-in-one.
> I'm pretty sure the problem occurs due to HTTP/HTTPS differences,
> so for plain unencrypted HTTP user request it works but for HTTPS is does not, and should not.
> HTTPS is made to prevent such in-the-middle embedding from working.

I had some luck on wifi walled garden stuff doing the following:

- The device (in this case a Ruckus Zone Director) that does the redirect, listens
on both http and https for the redirect
- The device has a valid hostname and TLS cert for the https redirect host
- The device does NOT allow traffic to any of the hosts that apple’s, microsoft’s or android’s “am I connected to the internet?” features use
- You leverage this “am I connected to the internet” (which is NOT https, at least w/apple) check do do a 301 redirect to your own walled garden (which IS https, does have a valid cert, etc.)

I wrote up what I saw when sniffing this traffic here:


Bottom line, it all sucks, but you can probably work something out.

Captive portal stuff relies on the conditions of the pre-https world.


> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list