[rbak-nsp] Captive portal for Ethernet users

Tomas Lynch tomas.lynch at gmail.com
Fri Dec 9 08:59:53 EST 2011


On Fri, Dec 9, 2011 at 7:23 AM, John <womble1950 at live.com> wrote:
> Hi,
>
> I need to setup a captive portal for several hundred users that will be
> connected to the SmartEdge via an Ethernet connection (each user is a
> separate port on a Cisco switch), I'd be grateful for any pointers on what
> is needed to implement this?
>
> Am I right in thinking this is what CLIPs is for?  Do I configure the SE
> with CLIPs and DHCP, and then when the client has been allocated an IP we
> will have a CLIP's session, which we then redirect to a captive portal that
> would allow them to authenticate and then somehow update the SE forwarding
> policy to allow outbound access?

The forwarding to an authentication portal can be done with clips as
well as pppoe. What you are proposing is supported by the SE and you
have to work with COA messages from you radius server. A basic
information flow is something like (YMMV):

1) subscriber receives an ip address and a basic policy with redirection
2) subscriber tries to navigate and is redirected to the authentication portal
3) the portal authenticates the user and sends a message to the radius
server (the portal can be also a coa server)
4) the subscriber receives a new policy and navigates freely

>
> If the switches used a single VLAN then what about security between users?

Security is a mess here, a customer with a sniffer may read packets
form other users. I'm won't recommend this practice, see below.

>  If we had a separate VLAN for every user/port then that would be a huge
> amount of config on the SE if we end up with thousands of users?

It is common practice to assign to each user a VLAN using QinQ. This
is well supported by the SE and yes the config is long but you more
control over your users and security is more restricted.

Tomas

>
> Any advice & guidance appreciated.
>
> John.
>
>
>
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp



More information about the redback-nsp mailing list