Adding Subscriber Information to HTTP Redirect URLs
Starting in Junos OS Release 19.3R2, the HTTP redirect service is also supported if you have enabled Next Gen Services on the MX Series.
Starting in Junos OS Release 17.3R1, you can add subscriber information to a redirect URL to make it easier to track subscribers, change service policies, and provision services. For example, a WLAN service model might redirect subscribers to a captive portal when they connect to the network and open a browser. The captive portal may provide an opportunity to update or purchase new services or require subscribers to enter their credentials before they can access a service. For example, the subscriber might be offered an opportunity to pay for a faster Internet connection.
You can configure the Juniper Networks RADIUS VSAs Activate-Service (26-65) or Deactivate-Service (26-66) to specify a format for the redirect URL that includes tokens for several subscriber attributes. The values for these tokens are retrieved from the subscriber session database and appended to the redirect URL. When the CPCD service is activated, the modified redirect URL is then returned to the requesting HTTP client in a message with an HTTP 302 or 307 status code. You can specify the tokens in any order. When the CPCD service is deactivated, the subscriber traffic is no longer redirected; the deactivation effectively removes the redirect rule for the subscriber,
When the subscriber subsequently logs in at the captive portal or purchases new services or updates, the web server hosting the captive portal confirms the action based on the supplied credentials. The server then contacts the RADIUS service to update the service policies for that particular subscriber. The subscriber attributes appended to the redirect URL enable RADIUS to determine exactly which subscriber to update. RADIUS then sends a CoA to the router to update the subscriber’s policy and access.
Table 1 describes the supported subscriber tokens. If other tokens are included in the redirect URL format in the VSA, they are ignored.
Token for URL Format |
Subscriber Attribute |
---|---|
%subsc-ip% |
Subscriber’s private IP address. |
%subsc-ipv6% |
Subscriber’s complete private IPv6 address (not just the prefix). |
%nas-ip% |
BNG IP address, configured with the |
%ac-name% |
This token is always empty on a BNG. |
%dest-url% |
Original, requested URL. |
%nas-port-id% |
Subscriber’s interface information, contained in the RADIUS NAS-Port-Id attribute (87). The attribute must include the interface name (physical or logical) and the PVLAN or CVLAN identifiers. The VLAN identifiers are in the range 1 through 4095. |
%mac-sa% |
MAC address of the WLAN client (the device the subscriber uses to access the network). |
%sess-id% |
Subscriber session ID. |
%user-name% |
Subscriber username. |
Refer to your RADIUS server documentation for information about configuring the service VSAs.
Configure the redirect URL with the desired tokens. In the following
example, the redirect URL is http://portal.wifi.example.com
. The tokens are delimited by the & (ampersand) character.
http://portal.wifi.example.com/xx?wlanuseraddr=%subsc-ip%
&nasaddr=%nas-ip%&url=%dest-url%&userlocation=%nas-port-id%
&usermac=%mac-sa%&acname=%ac-name%&session-id=%sess-id%
&username=%user-name%
The RADIUS service VSA includes the redirect URL with appended tokens in parentheses immediately following the name of the service to be activated—the dynamic service profile. In the following example, the profile is http-redirect-converged2:
http-redirect-converged2(http://portal.wifi.example.com/xx?wlanuseraddr=%subsc-ip%
&nasaddr=%nas-ip%&url=%dest-url%&userlocation=%nas-port-id%
&usermac=%mac-sa%&acname=%ac-name%&session-id=%sess-id%
&username=%user-name%
As an example, the returned redirect URL might look like the following when the tokens are replaced with the actual subscriber values retrieved from the session database:
http://portal.wifi.example.com?wlanuseraddr=192.0.2.66&nasaddr=203.0.113.1
&url=http%3A%2F%2F192.0.2.1%3A80%2Ftest.html&ip=192.0.2.1:80
&userlocation=ge-1/0/0:100&usermac=00:00:5E:00:53:42&acname=
&session-id=886&username=USER1@EXAMPLE.NET
You can configure adding subscriber information to the redirect URL for dynamic (converged) Routing Engine-based and dynamic MS-MPC/MS-MIC-based or MX-SPC3 services card-based CPCD.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.