|
This chapter describes how to configure the SESM sample captive portal solution. The chapter contains the following topics:
Captivation Type | Required Cisco IOS Release Level (SSG) | Required Cisco SESM Release Level |
---|---|---|
Unauthenticated user redirection | Cisco IOS Release 12.1(5)DC1 or later | SESM Release 3.1(1) or later |
Unauthorized service redirection Initial logon redirection Advertising redirection | Cisco IOS Release 12.2(4)B | SESM Release 3.1(3) or later |
Note The SSG TCP redirect features can redirect to any web server application. There is no requirement to use SESM applications. However, this guide assumes that you are using SESM applications. |
This section describes the SESM captive portal solution. It contains the following topics:
Figure 11-1 illustrates how the components in the SESM captive portal solution work together to provide appropriate content to the subscriber.
Note Figure 11-1 shows the sample solution configured using all of the default values provided by the SESM installation program. There are many possible variations to this default deployment. |
1 | Incoming HTTP requests from subscribers pass through the SSG. |
2 | When a packet qualifies for redirection, the SSG changes the destination IP address and port in the TCP packet. Cisco IOS configuration commands issued on the SSG host device define which packets qualify for redirection and the redirected destinations. |
3 | The sample SESM captive portal solution requires the following configurations for the TCP redirected destinations.
|
4 | The captiveportal.xml file associates an incoming port number to a content application URL. The SESM Captive Portal application uses the services of a JMX server to obtain the attribute values from the XML file. |
5 | The SESM Captive Portal application acts as a gateway to the content applications. It issues an HTTP redirect that redirects the subscriber's browser to an appropriate content application. The redirect request can include information from the original HTTP request, in the form of query parameters appended to the HTTP redirect URL. |
6 | The NWSP portal is the content application that services unauthenticated user redirection and service redirections. |
7 | The Message Portal is the content application that services initial logon and advertising redirections. |
The SESM Captive Portal application acts as a gateway for all of the different redirections coming from the SSG. This application does not provide any content to subscribers. Its main purpose is to preserve and pass along information from the original subscriber request to the content applications.
Table 11-1 shows the parameters that the Captive Portal application captures and forwards to content applications. The names of these parameters are configurable in the captiveportal.xml file.
Type of SSG TCP Redirection | Parameter Name in SESM Captive Portal HTTP Redirect | Explanation and Usage by the Content Applications |
---|---|---|
The URL in the subscriber's original request. The NWSP application uses this value to redirect the browser to this original request after successful authentication. | ||
The service name that was requested in the original request.The NWSP application uses this value to log on to the service. | ||
The user name that the subscriber used for SESM authentication. NWSP does not use this value, but it is available for use in customizations. | ||
The URL to the service that was requested in the original request. The NWPS uses this value to display a pop-up window after service connection. It overrides the URL that NWSP would normally use after service connection, which is the URL in the service profile. | ||
CPURL | ||
Duration attributes exist on both the SSG side and the SESM side. See the "Message Duration ParametersSummary" section. | ||
The subscriber name as obtained from the subscriber profile. |
See Table 11-1 for a description of the parameters that the Captive Portal application forwards to the NWSP application.
See Table 11-1 for a description of the parameters that the Captive Portal application forwards to the Message Portal application.
The sample SESM captive portal solution offers one way to implement captivation features. This section describes some alternative deployment options.
You do not need to deploy all of the redirection types. Each type of TCP redirection is independent of the others. To eliminate a redirection type from the captive portal solution, you can do any of the following:
The web server container in which the captive portal application runs is configured with a separate listener for each TCP redirect port you configured. That is, separate listeners exist for user redirections, each service redirection, a default service redirection, initial logon redirections, and advertising redirections. If you do not implement all of the redirection types, you might want to edit the captiveportal.jetty.xml file to disable the unnecessary listeners. This is optional.
You can deploy one or many content applications. You might have a single content application that handles all types of redirection, or you might have a different application for each type of redirection, including a different application for each configured service redirection. The content applications do not need to be SESM applications. The SESM Captive Portal application can redirect to any web application.
The SSG TCP redirect feature can accept any type of web application in the SSG captive portal groups. There is no requirement to use the SESM Captive Portal application. In addition, there is no requirement to use the 2-tiered approach used by the SESM solution. However, using the 2-tiered approach with the SESM Captive Portal application has certain advantages:
You can configure the TCP redirect feature to redirect directly to an application that provides content to the subscriber. For example:
This section describes how to install and configure the sample captive portal solution in the quickest possible configuration. To alter the default configuration after installation, see the "MBeans in the Captive Portal Solution" section.
This section includes the following topics:
The following information concerning captive portal installation is important:
captiveportal
config
captiveportal.xml
ssgconfig.txt
webapp
docs
messageportal
config
messageportal.xml
webapp
docs
The installation procedure also adds startup scripts and container configuration files for Captive Portal and Message Portal to the jetty directory under your SESM installation directory:
jetty
bin
startCAPTIVEPORTAL
startMESSAGEPORTAL
config
captiveportal.jetty.xml
messageportal.jetty.xml
This section describes configuration that you must perform before you can see the captive portal solution in operation. These tasks are in addition to the configuration performed by the installation program.
To demonstrate the complete capabilities of the captive portal solution, you need to run it with a fully configured SSG. To configure the SSG TCP redirect features to work with the configuration parameters that you just installed on the SESM side, follow these procedures:
Step 1 Make sure the SSG device is running the appropriate Cisco IOS release, as described in the "SSG and SESM Release Requirements" section. If not, upgrade the Cisco IOS release before proceeding.
Step 2 Make sure that basic SSG functionality is enabled and configured, as described in the "Basic SSG Configuration" section.
Step 3 Open the ssgconfig.txt file in a text editor. The file location is:
captiveportal
config
ssgconfig.txt
The ssgconfig.txt file contains all of the Cisco IOS commands required to configure the four types of TCP redirection that the sample captive portal solution can demonstrate. The commands in this file will configure SSG to match the default values presented during the captive portal installation. The file includes placeholder IP addresses.
Step 4 Edit ssgconfig.txt as follows:
Step 5 On the SSG host device, enter the contents of ssgconfig.txt to update the Cisco IOS running-config file.
Step 6 Save running-config.
In LDAP mode, create some basic subscriber profiles using CDAT. You can then use the NWSP account management feature to modify interests (hobbies) or add subscriptions.
You might want to change the configuration so that each service redirection is assigned a unique redirection destination.
To change a destination URL for service redirections, follow these procedures:
Step 1 Open the captiveportal.xml file in a text editor. The location is:
captiveportal
config
captiveportal.xml
Step 2 Locate the service redirect definition. For example:
<Call name="defineServiceRedirect">
<Arg><SystemProperty name="serviceRedirect1.port" default="8094"/></Arg>
<Arg><SystemProperty name="serviceRedirect1.URL" default=""/></Arg>
<Arg><SystemProperty name="serviceRedirect1.service" default="service1"/></Arg>
</Call>
Step 3 Change the URL in the second argument in the service redirection definition to the desired service URL.
Note When the second argument is empty (or its system property default is empty), the value in the
serviceRedirectDefaultURL attribute is used. By using a default page in
serviceRedirectDefaultURL attribute, you do not have to enter the
same URL for all the service redirections. The default value provided by the installation program for the serviceRedirectDefaultURL attribute is the NWSP /serviceRedirect page. |
The following table shows the startup script names for the applications in the sample captive portal solution.
Platform | Startup Scripts |
---|---|
Solaris and Linux | jetty/bin/startCAPTIVEPORTAL.sh
jetty/bin/startMESSAGEPORTAL.sh
jetty/bin/startNWSP.sh
|
Windows NT | jetty\bin\startCAPTIVEPORTAL.cmd
jetty\bin\startMESSAGEPORTAL.cmd
jetty\bin\startNWSP.cmd
|
For information about the contents of these startup scripts, see "Running SESM Components." The optional mode argument described in that chapter can be used with these startup scripts. However, the run mode for the Captive Portal and Message Portal applications must agree with the run mode of the main portal application (NWSP).
This section describes the MBeans in the captive portal solution. The topics are:
The captive portal application uses the following MBeans:
To change attributes in these MBeans, you can use either of the following methods:
captiveportal
config
captiveportal.xml
The Logger MBean configures both logging and debugging tools. The logging tool logs captive portal application activity. The debugging mechanism produces messages useful for debugging. This is the same logging and debugging mechanism used by the SESM portal applications. See the "Logger MBean" section for more information.
The ManagementConsole MBean configures the management console port for CDAT, including valid user names and passwords for accessing the console. See the "Configuring the ManagementConsole MBean" section for more information.
Table 11-2 explains attributes in the captiveportal MBean.
Attribute Name | Explanation |
---|---|
These attributes provide a convenient way to switch on and off one or more of the TCP redirection types. Changing these attributes is much easier than reconfiguring the SSG. Valid values are:
| |
Identifies the captive portal host. The value can be a comma-separated list of aliases and/or addresses. The application uses this attribute to detect loops. If the request host and this host value match, as well as the request port and the listener port, the captive portal application redirects the browser to the URL in errorURL. | |
In the installed configuration files, the following attributes are assigned values that are Java system properties. You can change the default value of a system property in the XML file, or you can override the default value at run time on the startup script command line. | |
The URL that you want the subscriber's browser to be redirected to after each type of redirection. Each URL is constructed as: http:// host:portURI where:
The default values for the system properties and the URIs were set during installation in the URL Out fields. | |
The port that the web server for the Captive Portal application will listen on for each redirection type coming from the SSG. These attributes are set to the following java system properties:
The default values for the system properties are the values you provided during installation in the Port In fields. If you change a port value, you must also change the SSG configuration to send redirections to the same port. | |
This value is passed to the Message Portal application in the CPDURATION parameter. It specifies the length of time that the Message Portal application waits before attempting to perform a redirection to the subscriber's originally requested URL. Note The SSG TCP redirect commands also accept a duration attribute. See the "Message Duration ParametersSummary" section for more information. | |
defineServiceRedirect is a system call that passes 3 arguments. There is a call for each specific service redirection and one for the default service redirection. 1. PortThe port that the web server for the Captive Portal application will listen on for the service redirections coming from the SSG. Its value is a Java system property whose default value was set during installation in the Port In fields.
2. URL (Optional)The complete URL to the page you want the browser to be redirected to after the service redirection. If blank, the serviceRedirectDefaultURL is used. Note The installation program does not prompt for or set these URLs, which means that all service redirections are redirected to the serviceRedirectDefaultURL above. If you want to set service-specific URLs for each service redirection, provide the URLs here. 3. service name (Optional)If provided, the captive portal application includes the service name in the query parameters appended to the URL that it forwards to the configured content application (for example, NWSP). The NWSP application uses the service name to attempt to connect to the service. | |
The URL that the Captive Portal application redirects to if it does not find a URL to redirect to for the given port that the request came in on. The default value set at installation time redirect to the NWSP /home page. | |
parameter names: | These attributes define the parameter names used in the HTTP redirect requests. For example, the parameter name used to identify the subscriber's originally requested URL is CPSUBSCRIBER. You can change this to some other name by changing the value of userRedirectURLParam or MessageRedirectURLParam. These parameter names are visible to the subscriber in the browser's URL field. They appear in the query string appended to the URL. |
The Message Portal application uses the following MBeans:
To change attributes in these MBeans, you can use either of the following methods:
messageportal
config
messageportal.xml
The Logger MBean configures both logging and debugging tools. The logging tool logs Message Portal application activity. The debugging mechanism produces messages useful for debugging. This is the same logging and debugging mechanism used by the SESM portal applications. See the "Logger MBean" section, for more information.
The ManagementConsole MBean configures the management console port for the Message Portal application, including valid user names and passwords for accessing the console. See the "Configuring the ManagementConsole MBean" section for more information.
The SESMMBean is required in all SESM portal applications. It sets the SESM mode for the application. The "SESM MBean" section describes this MBean.
For the Message Portal application, the mode attribute must be one of the following:
The SESMDemoMode MBean is required in all SESM portal applications that are running in Demo mode. See the "SESMDemoMode MBean" section for more information about this MBean.
If you run the message portal application in Demo mode, it obtains subscriber profiles from the file identified in this MBean. You can add interests (hobbies) to subscriber profiles in the demo data file using the $AA subattribute, as described in Table C-6, "Attributes in Subscriber Profiles".
The DESSMode MBean is required in all SESM portal applications that are running in LDAP mode. See the "DESSMode MBean" section for more information about this MBean.
Table 11-3 explains the configuration attributes in the messageportal MBean.
Attribute Name | Explanation |
---|---|
For advertisement redirections, specifies the default page to redirect to if:
| |
For initial logon and advertisement redirections, specifies a default URL to redirect to after the captivation duration has elapsed, if a CPURL parameter was not included in the query string of the HTTP request from the Captive Portal application. The CPURL parameter specifies the originally requested URL from the subscriber (before redirection). | |
Optional. This value is used if the Captive Portal application does not forward a CPDURATION parameter. This attribute applies only if the redirectOn attribute is true. For initial logon and advertisement redirections, it specifies the length of time that the Message Portal application waits before attempting to perform the redirection to the subscriber's originally requested URL. Note The SSG TCP redirect commands also accept a duration attribute. See the "Message Duration ParametersSummary" section for more information. | |
For advertisement redirections, indicates whether the interest attribute in the subscriber profile should be used to determine the page to redirect to. Valid values are:
Note In RADIUS mode, this attribute must be set to true. The interest attribute is not available with RADIUS profiles. | |
For initial logon and advertisement redirections, indicates action to take after the captivation duration elapses:
| |
cinema,
science,
internet,
news,
sports,
travel,
finance,
community
The interest values must match the options that you allow the subscriber to choose (for example, on an account self management page in NWSP) or that the service provider administrators are allowed to enter into an LDAP subscriber profile. | |
Specifies the advertisement page to display for each interest. (The Message Portal application displays the page appropriate to the first interest listed in a subscriber profile.) Separate each interest page with a comma. To use the default page for an interest, use any single character in the interestPages list. In the following example, subscribers whose profile contains science as the first interest see the default page as an advertisement. cinema.jsp,
.,
internet.jsp,
news.jsp,
sports.jsp,
travel.jsp,
finance.jsp,
community.jsp
|
The NWSP portal is the content application for unauthenticated user redirection and service redirections. The NWSP application contains the WebApp MBean. Table 11-4 explains configuration attributes in the WebAppMBean that are directly related to the captive portal solution.
Attribute Name | Explanation |
---|---|
For service redirections when the SSG prepaid feature is enabled, tells NWSP which page to redirect to if the prepaid limit for the requested service is reached. No redirection occurs if this attribute is null or empty. The default value that exists after installation is the NWSP recharge page. | |
For service redirections, tells NWSP which page to redirect to if the HTTP request from the Captive Portal application does not include a service parameter. The default value that exists after installation is the NWSP status page. | |
For service redirections, tells NWSP which page to redirect to if:
The default value that exists after installation is the NWSP home page. | |
For service redirections, tells NWSP which page to redirect to if the subscriber is not subscribed to the service that is specified in the HTTP request from the Captive Portal application. The default value that exists after installation is:
| |
For service redirections, tells NWSP which page to redirect to if the subscriber is not subscribed to the requested service and:
The default value that exists after installation is the NWSP home page. | |
For service redirections, tells NWSP which page to redirect to when the service in the HTTP request from the Captive Portal application does not require service logon. The default value that exists after installation is the NWSP serviceStart page. | |
The default value that exists after installation is the NWSP serviceLogon page. |
SESM duration must be equal to or longer than the SSG duration. Otherwise, redirections that SESM attempts to perform are too early and do not take place.
On the SSG side, the message duration controls the length of time the SSG holds the browser to the message page before allowing the browser to display any other URL. If the subscriber or any web application (such as the SESM message portal application) attempts to redirect the browser before the SSG duration time has elapsed, the attempt fails. On the SSG side, duration is specified as follows:
On the SESM side, the message duration controls how long the content application waits before attempting to redirect the browser from the message page to the subscriber's originally intended URL or to a default URL. (If the redirect feature is turned off in the messageportal.xml file, then the SESM duration attributes are ignored.) On the SESM side, duration is specified as follows:
This section summarizes how to configure the TCP redirect features on the SSG host device. For additional information, see the SSG documentation listed in the "Related Documentation" section.
This section includes the following topics:
To allow the Captive Portal application to obtain the subscriber name from profiles, the following configurations are required:
1. If the SESM single sign-on feature is turned on, the SSG profile cache feature must also be turned on:
ssg profile-cache
2. If the SSG port-bundle host key feature is used, ensure that the destination range configured in the port-mapping command includes the port numbers you assigned during the captive portal configuration, in addition to the port number of the main SESM web application. (The suggested default values that the installation program uses for the Captive Portal configuration are 8090 to 8096.)
ssg port-map enable
ssg port-map destination range 8080 to 8100 ip 10.0.1.4
ssg port-map source ip Loopback()
SSG sends a redirected TCP packet to a captive portal group. A captive portal group consists of one or more web servers running an application that can handle the redirected packet. If you deploy the SESM captive portal solution, the web servers in your captive portal groups are running the SESM Captive Portal application.
Grouping multiple instances of a captive portal application allows the SSG to apply sequential load balancing over the members of the group. The SSG monitors the web servers in the group and redirects packets only to those servers that respond.
You can configure as many captive portal groups as required. For example, you can specify different captive portal groups for each type of redirection, or different destination networks for different services in service redirects.
Use the following command to create a captive portal group and add web servers to the group.
ssg tcp-redirect server-group group-name server ip-address port
A port list refers to the destination ports in the incoming TCP packets. For example, at most sites, ports 80 and 8080 would identify Internet packets, and port 70 would identify FTP packets. If you assign a port list to a captive portal group, you limit redirections to only the traffic arriving on the ports in the port list.
Note You can associate the same port-list to multiple captive portal groups. |
Use the following command to create a port list.
ssg tcp-redirect port-list
port port
port port
The examples in the following sections illustrate how to create port lists and captive portal groups.
If you do not configure a captive portal group to handle TCP packets from unauthenticated users, SSG discards packets from unauthenticated users. To obtain the SESM logon page, subscribers must enter the URL of the SESM web server.
Subscribers who are connecting to SSG over a PPP connection are already authenticated. The SSG accepts this authentication and creates the host object for the subscriber. If the subscriber logs out of SESM but does not log off of the PPP connection, the host object is marked inactive, and then unauthenticated redirection applies. When the PPP subscriber logs back into SESM (reauthenticates), the host object is active again.
Use the following command to specify which captive portal group will handle unauthenticated user redirections.
ssg tcp-redirect redirect unauthenticated-user to group-name
The following commands from ssgconfig.txt create a captive portal group named userRedirect. The group consists of one web server whose IP address is 10.0.1.4, with a listener on port 8090. (In the sample solution, this must be the IP address of the web server for the SESM captive portal application. The port must match the port you configured for unauthenticated user redirections in the captiveportal.xml file.) The userRedirect group is associated with unauthenticated user redirections. A port list cannot be assigned to this type of redirectionuser redirection applies to all TCP packets that are not authenticated.
ssg tcp-redirect
server-group userRedirect server 10.0.1.4 8090
redirect unauthenticated-user to userRedirect
Otherwise, service redirection redirects a TCP packet if all of the following conditions are true:
The following IOS commands from ssgconfig.txt configure three specific service redirections and a default service redirection. All of the service redirections are applied only to traffic coming into ports 80 and 8080. Each type of service redirection uses a different port on the same web server (the web server at IP address 10.0.1.4, which is the web server in which the SESM Captive Portal application is running).
ssg tcp-redirect
network-list serviceNetwork1
network 1.1.1.0 255.255.255.0
!
network-list serviceNetwork2
network 2.2.2.0 255.255.255.0
!
network-list serviceNetwork3
network 3.3.3.0 255.255.255.0
!
port-list ports
port 80
port 8080
server-group serviceRedirect1
server 10.0.1.4 8094
!
redirect port-list ports to serviceRedirect1
redirect unauthorized-service destination network-list serviceNetwork1 to
serviceRedirect1
!
server-group serviceRedirect2
server 10.0.1.4 8095
!
redirect port-list ports to serviceRedirect2
redirect unauthorized-service destination network-list serviceNetwork2 to
serviceRedirect2
!
server-group serviceRedirect3
server 10.0.1.4 8096
!
redirect port-list ports to serviceRedirect3
redirect unauthorized-service destination network-list serviceNetwork3 to
serviceRedirect3
server-group defaultServiceRedirect
server 10.0.1.4 8093
!
redirect port-list ports to defaultServiceRedirect
redirect unauthorized-service to defaultServiceRedirect
It is possible for some services to share some of their address space. For example, consider an Internet service with allowable networks of 0.0.0.0 and a mask 0.0.0.0. (In effect, any address is permissible.) An IPTV service would have a much smaller network spacefor example, 1.2.3.0 with a mask of 255.255.255.0). In this situation, having access to the Internet service should not automatically give access to the IPTV service.
You can configure the SSG to handle the situation described above by configuring a specific service redirection for the narrow address space. This takes precedence over the wider address space, thus ensuring that the specific service redirection occurs.
Note The SESM captive portal solution also uses duration parameters. See the "Message Duration ParametersSummary" section for more information. |
Use the following command to specify which captive portal group will handle initial logon redirections and to set the duration of the display.
ssg tcp-redirect redirect captivate initial default group group-name duration seconds
The following commands from ssgconfig.txt create a port list named ports and a captive portal group named initialCaptivate. The group consists of one web server whose IP address is 10.0.1.4, with a listener on port 8091. (In the sample solution, this must be the IP address of the web server for the SESM captive portal application. The port must match the port you configured for initial logon redirections in the captiveportal.xml file.) The initialCaptivate group is associated with initial logon redirections. The message captivation lasts for 10 seconds, unless the subscriber profile overrides that value. Redirections to this group are applied to TCP packets arriving on the SSG at ports 80 or 8080, as specified in the port list.
ssg tcp-redirect
port-list ports
port 80
port 8080
server-group initialCaptivate
server 10.0.1.4 8091
redirect port-list ports to initialCaptivate
redirect captivate initial default group initialCaptivate duration 10
The advertising redirection redirects subscribers at timed intervals throughout the current session. The length of time that the message is displayed (the duration) and the frequency of the intervals are controlled by:
The frequency is approximate, because redirection can occur only when a TCP packet is initiated by the subscriber.
Note The Message Portal application also accepts a duration attribute. See the "Message Duration ParametersSummary" section for more information. |
Use the following command to specify which captive portal group will handle advertising redirections, and to set the duration and frequency of the display. The valid range for duration and frequency is 1 to 65,536 seconds.
ssg tcp-redirect redirect captivate advertising default group group-name duration seconds
frequency seconds
The following commands from ssgconfig.txt create a port list named ports and a captive portal group named advertisingCaptivate. The group consists of one web server whose IP address is 10.0.1.4, with a listener on port 8092. (In the sample solution, this must be the IP address of the web server for the SESM captive portal application. The port must match the port you configured for advertising redirections in the captiveportal.xml file.) The advertisingCaptivate group is associated with advertising redirections. The captivation lasts for 5 seconds and occurs every 60 seconds, unless the subscriber profile overrides those values. Redirections to this group are applied to TCP packets arriving on the SSG at ports 80 or 8080, as specified in the port list.
ssg tcp-redirect
port-list ports
port 80
port 8080
server-group advertisingCaptivate
server 10.0.1.4 8092
redirect port-list ports to advertisingCaptivate
redirect captivate advertising default group advertisingCaptivate duration 5 frequency
60
This section describes some potential problems with captive portal installation and configuration:
If some TCP redirections do not seem to be occurring, check whether or not any of the following configuration problems exist:
Check the following parameters in the captiveportal.xml file to make sure that the redirection type is turned on in the captive portal application:
If you use the same port number for more than one type of redirection in the captiveportal.xml file, only one of the redirections per port is operational. This might happen if, during captive portal installation, you change the default port numbers suggested by the installation program, and erroneously reuse the same port number.
The precedence order that determines which type of redirect is operational on a port is:
1. unauthorized user redirections
2. initial logon redirections
3. advertising redirections
4. service redirections
Check the SSG configuration to make sure that:
If the browser is continuously redirected to the same page, investigate the following topics:
For example, suppose you want to establish service redirections for a service on network 10.1.1.1. If you define the incoming destination network that is eligible for redirections as follows:
ssg tcp-redirect
network-list serviceNetwork1
network 10.1.1.0 255.255.255.0
then you must define the service route for the service using the same IP address and mask (10.1.1.0 and 255.255.255.0).
If you define the service route differently (for example, you use 10.1.1.1 and 255.255.255.255), then the service redirection occurs repeatedly. After the first and required service redirection, any subsequent requests are subject to the service redirection, even though the service is connected.
The symptom of this misconfiguration is the continuous redisplay of the redirect URL. For example, in the sample SESM solution, the NWSP service logon page appears each time you click the OK button, even though the service is already connected.
If you deploy a web server other than the SESM Captive Portal application as the redirect server, and the web server uses HTTP1.1, make sure to use the protocol options that explicitly close the connection for each response from the web server.
HTTP1.1 persists connections. The persistent connection causes the SSG to continue redirecting for subsequent requests because it is still handling the same connection. The SSG continues redirecting even after the mapping times out on the SSG. This behavior is particularly noticeable for initial captivation, where one would expect the redirection to occur only one time.
If the captive portal application is not passing the subscriber name (CPSUBSCRIBER) in the HTTP redirection for unauthenticated user redirections:
Note When these two attributes are empty, the user name feature is turned off. This might be desirable, for example, for performance reasons. |
Posted: Fri Oct 18 10:01:16 PDT 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.