Redirecting Traffic to a Captive Portal Web Page

A captive portal Web page is a page that receives redirected HTTP requests. You can use a captive portal page as the initial page a subscriber sees after logging in to a subscriber session and as a page used to receive and manage HTTP requests to unauthorized Web resources.

The type of information available from a captive portal page depends on the portal design. The page can provide informational messages or can let subscribers perform actions such as activating a service to which they have a subscription. For example, if a subscriber requests access to a service that the subscriber has not activated, the portal could display a captive portal page that tells the subscriber that the service is not available, or the page could prompt the subscriber to activate the requested service.

Implementing a captive portal requires the following:

• An instance of the redirect server installed on a host in the same network as a JUNOSe router. The redirect server redirects HTTP requests received from IP Filter to a captive portal page.
• When the SRC software is installed on a Solaris platform, the IP Filter tool installed and configured on the same host as the redirect server. This tool redirects incoming HTTP requests to the redirect server.
• Default policies installed on the JUNOSe router. The default policies on the JUNOSe router must include a forwarding or rate-limiting policy that permits access to the portal server and a next-hop rule to intercept the unauthorized access request packets. The target of the next-hop rule is the host on which the redirect server resides.
• A portal server for serving the captive portal pages.

For a sample captive portal, see the sample residential portal.

For information about configuring the redirect server, see Configuring the Redirect Server (SRC CLI).

Sequence for Redirecting Traffic

The following list describes the sequence of events that occurs when a subscriber tries to access a restricted service:

1. A subscriber opens a Web browser and attempts to access a restricted server; for example, http://a.com.
2. A next-hop policy on the JUNOSe router sends this request to the redirect server instead of to the requested server.

   The policy does not affect the destination address (resolved from a.com) in the IP packets.

3. For environments that have the SRC software installed on a Solaris platform, the IP Filter process running on the same host as the redirect server filters traffic and redirects traffic arriving on port 80 on the host’s incoming interface.
4. The captured request is redirected to an address and a port where the redirect server listens.
5. The redirect server opens a TCP port (8800 by default) and sends the type of response configured—an HTTP 200 (OK) or a small HTML document that encodes a refresh in the meta header of the of the file—to the subscriber’s browser for the requests.
6. The subscriber browser follows the redirect request and opens the captive portal page on the portal server.

Configuring the SRC Software in a Multihop Environment

The captive portal system implemented by the HTTP redirect server requires a single-hop connection; that is, the router accessed by the subscriber cannot be more than one hop away from the redirect server. However, some networking environments will require a multihop connection—through more than one router—to the redirect server.

You can use any of several methods to get around the intermediate, next-hop routers, such as IP-in-IP tunneling, deployment of a NAT device, and dynamic DNS. Contact Juniper Networks Professional Services for assistance with these methods.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.