Re: Webpage redirect
Hello Chris, I'm not sure if I post the details to the mailing-list, but I'm using the following RAS: - Lucent PortMaster 3 (22 units) - Lucent/Ascend Max6000 (4 units) - MaxTNT (1 unit) I was guessing if Cisco would do the trick - it does a lot of tricks. But I have only Cisco routers in the ISP, no RAS :-( I was also guessing that it's out of the Radius scope. There's no way to interact Radius filter with http functions, like web redirect via proxy. Too sad. I'm working in a log-parser to extract "filtered" login/phone number from the log, and sent it to my helpdesk crew - and they will call the "filtered" customers. Not so elegant, but it's the most effective I can do now... Again, thanks for the support. Fernando.
Re: Webpage redirect
At 03:15 PM 12/12/2002 -0300, Fernando Teodoro wrote: Hello Chris, I'm not sure if I post the details to the mailing-list, but I'm using the following RAS: - Lucent PortMaster 3 (22 units) EOL product, but this is capable of doing what you want, if you can find the docs to configure it. - Lucent/Ascend Max6000 (4 units) EOL announced for this product, not cable of doing what you want anyway. - MaxTNT (1 unit) EOL not announced yet for this product ( that I know ), but expect it to go the way of the 6000 shortly ( Lucent wants to push the APX line ). I was guessing if Cisco would do the trick - it does a lot of tricks. But I have only Cisco routers in the ISP, no RAS :-( Cisco was one example. Other NAS ( such as the PM3 ) are also capable. I was also guessing that it's out of the Radius scope. There's no way to interact Radius filter with http functions, like web redirect via proxy. Too sad. I'm working in a log-parser to extract filtered login/phone number from the log, and sent it to my helpdesk crew - and they will call the filtered customers. Not so elegant, but it's the most effective I can do now... Something that all of the nas you listed can do fairly easily is apply a packet filter via RADIUS ( Filter-ID ). This could block port 80 traffic from going anywhere except the proxy server. You apply it selectively to the users you want. If they don't have proxy settings, they won't be able to surf the web, so they'll likely call your NOC. Your NOC can then tell them to add the proxy settings and VOILA. Many ways to skin the cat on this one. Tranparent proxying is nice, but in practice it can be difficult to setup and maintain, especially across a multi-nas environment. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
EOL product, but this is capable of doing what you want, if you can find the docs to configure it. The magic can be done with PM3? Sounds great, it's the model for most of my RAS. I'll search about it, so. Do you know how this function (redirect according filter) is called? Something that all of the nas you listed can do fairly easily is apply a packet filter via RADIUS ( Filter-ID ). This could block port 80 traffic from going anywhere except the proxy server. You apply it selectively to the users you want. If they don't have proxy settings, they won't be able to surf the web, so they'll likely call your NOC. Your NOC can then tell them to add the proxy settings and VOILA. I'm using Filter-ID; filtered customers have only access to my webserver and mail server (I'm also trying to discover how limit the daily usage to 30 minutes) The problem is my ISP was working together with another ISP, and now this fellowship has been broke apart. So, when I restrict my customers to only my webpage (where there's a message telling the story, with a link to validate their accounts), they must ACTIVELLY open the browser and go to my website (could be a proxy, which I'm not using at this time), to read the message. Therefore, if they can't go anywhere else in web, there's 50% chance they'll call my NOC, and 50% chance they'll call the other NOC (the other ISP) What a puzzle! Fernando - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Webpage redirect
Hi Matt, and thanks for the tip. Walled Garden sounds fine. I followed the link you send me; as far I understood, a captive portal is a kind of gateway with transparent proxy that redirects the client browser; so, when the customer tries any address, it's source is verified from an auth system (if it has already authenticated, he can pass-through an go anywhere). It should work for me, even with no auth - simply sending a default webpage to the client with a cookie. Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? Thanks again, Fernando. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
At 04:59 PM 12/11/2002 -0300, Fernando Teodoro wrote: Hi Matt, and thanks for the tip. Walled Garden sounds fine. I followed the link you send me; as far I understood, a captive portal is a kind of gateway with transparent proxy that redirects the client browser; so, when the customer tries any address, it's source is verified from an auth system (if it has already authenticated, he can pass-through an go anywhere). It should work for me, even with no auth - simply sending a default webpage to the client with a cookie. Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? There is no specific way via RADIUS directly to make this happen as routing policy it outside the scope of RADIUS. *HOWEVER* RADIUS can be used to communicate policy routing decisions to the NAS if the NAS supports it. It's a feature of the NAS, not of RADIUS. You can setup Policy Based Routing on Cisco NAS for example, triggered by a Cisco-VSA attribute you return. You could selectively return the VSA trigger with Group attributes on your RADIUS server. So, to answer you question, it does not require a web-proxy system. It depends on your NAS choice and the capabilties of that NAS. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless!\ Director, Engineering | @ @ |\ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\-- \ Wholesale Internet Services - http://www.megapop.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Webpage redirect
On Wed, 11 Dec 2002, Chris Parker wrote: At 04:59 PM 12/11/2002 -0300, Fernando Teodoro wrote: Yet, my problem remains: not all my customers should fall in this system - they will (or will not) fit in this rule according some criteria - and the Radius is my first choice, since everybody's must dial-in and auth in Radius. If I let anyone auth in Radius and force anyone to authenticate in browser to access the web, it will be a great pain for regular customers (90% of the total users); this is the pattern used by free-ISP in Brazil, and it makes this services so boring. Most important, you answered my main question: there's no way to redirect clients homepage with any of Radius features, right? Radius talks only with RAS, and not with the end-user. So, any solution will require web-proxy redirecting. No other way? There is no specific way via RADIUS directly to make this happen as routing policy it outside the scope of RADIUS. *HOWEVER* RADIUS can be used to communicate policy routing decisions to the NAS if the NAS supports it. It's a feature of the NAS, not of RADIUS. You can setup Policy Based Routing on Cisco NAS for example, triggered by a Cisco-VSA attribute you return. You could selectively return the VSA trigger with Group attributes on your RADIUS server. So, to answer you question, it does not require a web-proxy system. It depends on your NAS choice and the capabilties of that NAS. Of course, if prepaid people dial a different number, and your NAS supports passing that number (Called-Station-ID)? you can use this as a criterion for filtering requests to assign a different IP subnet, for example, and other complex hacks, but I'm too much of a newbie to tell you if it will work, you'll have to look into it -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
