1. RBFS HTTP Redirect Service
This document provides information about RBFS HTTP Redirect Service. For enabling HTTP Redirect service, it is required to create, associate, and apply subscriber filters (ACLs) for the subscribers. For information about subscriber filters and how to configure these filters, refer to the RBFS Subscriber Filters User Guide.
1.1. Overview
RBFS HTTP Redirect service allows network service providers to intercept and redirect HTTP request traffic from subscribers to a designated captive portal instead of the original destination. This service is useful in a multitude of use cases, ranging from subscriber re-authentication to enforcing acceptance of network usage policies.
This captive portal is a webpage where the redirected subscribers are landed up to fulfill certain actions or conditions before they are granted broader access to the network resources. There are various reasons why captive portals can be set up, such as the following:
-
Accept the terms of service.
-
Receive and manage HTTP requests to unauthorized web resources.
-
Present a web page that requires the completion of certain actions from the subscriber.
-
Serve commercial communication or network usage policy messages.
By implementing the RBFS HTTP Redirect Service, network service providers can efficiently manage user access and enforce compliance with network regulations and policies, ultimately enhancing the overall security and user experience within their network environment.
Based on the applied filters, RBFS performs three actions which are accept, drop, and redirect. The action Accept allows the subscribers to access the network resource that they request. The Drop action restricts the subscriber from accessing the network resource. Finally, the Redirect action, if enabled HTTP redirect service, takes the subscriber to a different portal where the service provider wants to fulfill certain actions by the subscriber before accessing the network resource.
In addition to RBFS Subscriber Filters, a redirect action is supported by RBFS through the utilization of Ascend Data Filters (ADF), as described in the RBFS RADIUS Services guide.
The RBFS HTTP Redirect Service together with the Subscriber Filters empowers network service providers to intercept and redirect HTTP request traffic from subscribers, guiding it towards a designated captive portal instead of its original destination.
1.2. How RBFS HTTP Redirect Service Works
HTTP requests from subscribers to any destination are intercepted by the RBFS HTTP Redirect service, if the subscriber filter rules are applied to the subscriber. In response to the request from the subscriber to access the network, the HTTP Redirect service provides the HTTP status code 302 along with the new URL to guide the subscriber to the new destination. To make it possible, the RBFS Subscriber Filters are employed, enabling the service to decide which requests should be redirected and which requests should be passed directly without redirection. In addition to RBFS Subscriber Filters, a redirect action is supported by RBFS through the utilization of Ascend Data Filters (ADF), as described in the RBFS RADIUS Services guide.
1.3. Enabling HTTP Redirect Service Using RADIUS ADF
Both the RBFS Subscriber Filters and the HTTP Redirect Service can be dynamically enabled, disabled, and updated through RADIUS access-accept and CoA requests without requiring the re-establishment of the subscriber session. This flexibility allows network administrators to efficiently manage and modify these services as needed without disrupting subscriber connectivity.
RBFS provides a set of vendor-specific attributes to control the RBFS Subscriber Filters and the HTTP Redirect Service. The attributes include:
-
VSA 26-50058-75 - RtBrick-HTTP-Redirect-URL
-
VSA 26-50058-76 - RtBrick-IPv4-ACL-IN
-
VSA 26-50058-77 - RtBrick-IPv4-ACL-OUT
-
VSA 26-50058-78 - RtBrick-IPv6-ACL-IN
-
VSA 26-50058-79 - RtBrick-IPv6-ACL-OUT
For more information about these attributes, see RBFS RADIUS Services guide.
1.4. Limitations
The HTTP Redirect Service is currently supported only for IPoE subscribers. HTTP Redirect service can redirect only HTTP traffic. Typically, the majority of web requests are in HTTPS format, which cannot be redirected. Due to this limitation, most end-user devices, including PCs, smartphones, and tablets, automatically attempt to access specific well-known URLs to search for captive portals immediately after establishing a network connection. Two common examples are http://connectivitycheck.gstatic.com (vendor-independent) and http://captive.apple.com (Apple devices).
2. HTTP Redirect Service Configuration
The configuration hierarchy for the HTTP Redirect service is illustrated in the diagram.
2.1. Service Profile Configuration
Syntax:
set access service-profile profile-name <profile-name> <attribute> <value>
| Attribute | Description |
|---|---|
<profile-name> |
Service profile name. |
<http-redirect> |
HTTP redirect service configuration. |
<url> |
HTTP redirect target URL. |
<acl> |
Subscriber ACL (filter) configuration. |
<ipv4-acl-in> |
IPv4 upstream ACL (ingress from subscriber). |
<ipv4-acl-out> |
IPv4 downstream ACL (egress to subscriber). |
<ipv6-acl-in> |
IPv6 upstream ACL (ingress from subscriber). |
<ipv6-acl-out> |
IPv6 downstream ACL (egress to subscriber). |
The following example shows a service profile named HTTP, redirect URL as the redirect destination. The 'ipv4-acl-in' ACL is applied as the filter criteria or ACL rule for this redirection.
supervisor@router: cfg> show config access service-profile HTTP
{
"rtbrick-config:service-profile": [
{
"profile-name": "HTTP",
"http-redirect": {
"url": "https://www.rtbrick.com"
},
"acl": {
"ipv4-acl-in": "redirect-acl-in"
}
}
]
}©Copyright 2024 RtBrick, Inc. All rights reserved. The information contained herein is subject to change without notice. The trademarks, logos and service marks ("Marks") displayed in this documentation are the property of RtBrick in the United States and other countries. Use of the Marks are subject to RtBrickās Term of Use Policy, available at https://www.rtbrick.com/privacy. Use of marks belonging to other parties is for informational purposes only.