Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Subscriber Management] Routing Engine based static and converged Captive Portal Content Delivery.

0

0

Article ID: KB31615 KB Last Updated: 09 May 2017Version: 1.0
Summary:

This article explains how to configure and troubleshoot Routing Engine (RE) based static and converged Captive Portal Content Delivery (CPCD).

Solution:

How to configure and verify a Routing Engine based captive portal HTTP redirect service.
A Routing Engine based captive portal has two flavors:

  1. Static CPCD
  2. Converged CPCD

Static CPCD supported from 15.1.x

Add inline services

jtac@ERX-MX960-II-RE0# show chassis fpc 4
pic 0 {  
inline-services {
        bandwidth 1g;
    }
}

 
Inline SI interface will come “UP”

jtac@ERX-MX960-II-RE0# run show interfaces terse si-4/0/0
Interface               Admin Link Proto    Local                 Remote
si-3/0/0                up    up
si-3/0/0.0              up    up   inet



Configure family INET and check SI interface status

jtac@ERX-MX960-II-RE0# show interfaces si-4/0/0
unit 0 {
    family inet;
    family inet6;
}

jtac@ERX-MX960-II-RE0# run show interfaces terse si-4/0/0
Interface               Admin Link Proto    Local                 Remote
si-3/0/0                up    up
si-3/0/0.0              up    up   inet    
                                   inet6    fe80::2a0:a530:7b:bfdd/64


Configure services content captive portal and service-set
 
jtac@ERX-MX960-II-RE0# show services
captive-portal-content-delivery {
    rule r1 {
        match-direction input;
        term 1 {
            then {
                redirect http://192.168.1.1/index.php;
            }
        }
    }
    profile http-redirect-3 {
        cpcd-rules r1;
    }
    traceoptions {
        file cpcd.log size 100m;
        flag all;
    }
}
service-set sset2 {
    service-set-options {
        routing-engine-services;
<-- To indicate this is RE-Based CPCD  
    }
    captive-portal-content-delivery-profile http-redirect-3;
    interface-service {
        service-interface si-4/0/0;
<-- “si” interface is used for RE-Based CPCD
    }
}


Configure dynamic profile for HTTP redirect

jtac@ERX-MX960-II-RE0# show dynamic-profiles REDIRECT
interfaces {
        pp0 {
        unit "$junos-interface-unit" {
            family inet {
                service {
                    input {
                        service-set sset2 service-filter WALLED;
                    }
                    output {
                        service-set sset2 service-filter RETURN;
                    }
                }
            }
        }
    }
}



Configure firewall FAMILY INET service filers
 
jtac@ERX-MX960-II-RE0> show configuration firewall family inet
            
service-filter WALLED {
    term 0 {
        from {
            destination-address {
                192.168.1.1/32;
            }
        }
        then {
            count count192ip;
            skip;
        }
    }
    term 1 {
        from {
            destination-port 53;
        }
        then {
            count countDNS;
            skip;
        }
    }
term 2 {
        from {
            protocol icmp;
        }
        then {
            count countIcmp;
            skip;
        }
    }
    term 3 {
        from {
            destination-port [ 80 8080 443 ];
        }
        then {
            count redirectCount;
            service;
        }
    }
}

jtac@ERX-MX240-2-RE0# show firewall family inet service-filter RETURN
term 1 {
    then {
        count countReturned;
        skip;
    }
}

 
Verification of HTTP redirect service

jtac@ERX-MX960-II-RE0# run show subscribers extensive
Type: DHCP
User Name: jtac
IP Address: 100.125.6.2
IP Netmask: 255.255.255.0
Domain name server inet: 8.8.4.4
Domain name server inet6: 2001:4860:4860::8844
Logical System: default
Routing Instance: default
Interface: demux0.3221225472
Interface type: Dynamic
Underlying Interface: ae0.406
Dynamic Profile Name: DHCP-TEST
Dynamic Profile Version: 1
MAC Address: 00:16:01:00:00:01
State: Active
Radius Accounting ID: 100002
Session ID: 100002
PFE Flow ID: 40031
Stacked VLAN Id: 1
VLAN Id: 406
Login Time: 2017-04-10 13:24:48 IST
Service Sessions: 1
DHCP Options: len 9
35 01 01 37 04 01 03 3a 3b
IP Address Pool: DHCP
Accounting interval: 1800

   Service Session ID: 100003
   Service Session Name: REDIRECT
   Service Session Version: 1
   State: Active
   Family: inet
   Service Activation time: 2017-04-10 13:24:48 IST


jtac@ERX-MX960-II-RE0# run show dynamic-profile session service-id 100003
REDIRECT {
    interfaces {
        demux0 {
            unit 3221225472 {
                family {
                    inet {
                        service {
                                service-set sset2 {
                                }
                            input service-filter WALLED;
                                service-set sset2 {
                                }
                            output service-filter RETURN;
                        }
                    }
                }
            }
        }
    }
}

% netstat -an | grep 33082 [RE_SVC_CPCDD_UDP_PORT]
udp4       0      0  *.33082                                       *.*                                          
%
 
Captive-portal-content-delivery process started, pid 7662
jtac@ERX-MX240-2-RE0> Oct 16 00:11:22  sdkInitCallback ../../../../../../src/junos/usr.sbin/cpcdd/cpcddApp.cc:148
Oct 16 00:11:22 Timer mgr init successful
Oct 16 00:11:22  init ../../../../../../src/junos/usr.sbin/cpcdd/cpcddConfigMgr.cc:1159status: <Success:cpcdd class=2, code=0>
Oct 16 00:11:22  init ../../../../../../src/junos/usr.sbin/cpcdd/cpcddConfigMgr.cc:1190status: <Success:cpcdd class=2, code=0>
Oct 16 00:11:22  init ../../../../../../src/junos/usr.sbin/cpcdd/cpcddConfigMgr.cc:151 status: <Success:cpcdd class=2, code=0>
Oct 16 00:11:22 Config mgr init successful
Oct 16 00:11:22 Pic mgr init successful
Oct 16 00:11:22  init ../../../../../../src/junos/usr.sbin/cpcdd/cpcddUi.cc:347 Factory Instantiation succeeded
Oct 16 00:11:22 Ui mgr init successful
Oct 16 00:11:22 in bind
Oct 16 00:11:22 bind success port=33082

Generate HTTP Traffic

Oct 15 14:14:06 IPCCONN SEND  :::::  SUCESSFULLY SEND BYTES(dec) = 128IFL Index = 536870936
Oct 15 14:14:06  processInput ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceProtocolControlBlock.cc:111 No Dynamic Policy Found: Searching Static Policy
Oct 15 14:14:06  setPseudoHeader ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:341 Version V4
Oct 15 14:14:06  setPacketContext ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:727
Oct 15 14:14:06  createEvent ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:740
Oct 15 14:14:06  processEvent ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:812
Oct 15 14:14:06  run ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:783event = 12
Oct 15 14:14:06  runActions ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:800
Oct 15 14:14:06  actionRxSynRcv ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:575
Oct 15 14:14:06  TCP RX State: SYN_RCV -> ESTABLISHED
Oct 15 14:14:06  actionNop ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:721
Oct 15 14:14:06  processInput ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceProtocolControlBlock.cc:111 No Dynamic Policy Found: Searching Static Policy
Oct 15 14:14:06  setPseudoHeader ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:341 Version V4
Oct 15 14:14:06  setPacketContext ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:727
Oct 15 14:14:06  createEvent ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:740
Oct 15 14:14:06  processEvent ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:812
Oct 15 14:14:06  run ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:783event = 13
Oct 15 14:14:06  runActions ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:800
Oct 15 14:14:06  actionTxEstablished ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceTcpProtocol.cc:616
Oct 15 14:14:06 HTTP: Enter  processInput ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceHttpProtocol.cc:534iflIndex 536870936
Oct 15 14:14:06  setFilePath ../../../../../../src/junos/usr.sbin/cpcdd/services/serviceHttpProtocol.cc:379file Path : /
Oct 15 14:14:06  foundHost0
Oct 15 14:14:06 Inserting in map : Host 11.11.0.1
Oct 15 14:14:06 HTTP:iflIndex 536870936 Redirect URL: http://192.168.1.1/index.php


jtac@ERX-MX960-II-RE0# run show services captive-portal-content-delivery statistics interface si-4/0/0    

service-set interface: si-4/0/0

Packets received   Packets altered  
3                     3    <-- Packets are getting redirected.


Oct 15 14:14:06 IPCCONN SEND  :::::  SUCESSFULLY SEND BYTES(dec) = 124IFL Index = 536870936
Oct 15 14:14:08  startTimer ../../../../../../src/junos/usr.sbin/cpcdd/cpcddUi.cc:289 start timer 0x8c0b168
Oct 15 14:14:08  isVirtualReService ../../../../../../src/junos/usr.sbin/cpcdd/cpcddPicMgr.cc:1322
Oct 15 14:14:08 sendInterfaceStatsRequest to VirtualReService si-1/0/0
Oct 15 14:14:08  getVirtualREServiceStats ../../../../../../src/junos/usr.sbin/cpcdd/cpcddPicMgr.cc:1329CpcddREServiceVirtualPic: get Stats
Oct 15 14:14:08  handleShowCommand ../../../../../../src/junos/usr.sbin/cpcdd/services/servicesManager.cc:947msgType: 6 msgLen: 12
Oct 15 14:14:08  handleShowCommand ../../../../../../src/junos/usr.sbin/cpcdd/services/servicesManager.cc:975SsetId3 received 3 Altered 3


Converged CPCD supported from 16.1R4

“Converged” indicates that the CPCD rules shall be dynamically formed based on the variables configured in the CLI and pushed during the service instantiation or during CoA. In case of CPCD, suppose if variable “redirect-url” is configured in dynamic profile under services stanza as shown below, it gets populated through radius VSA as a part of CoA or during subscriber bringup. Since it is configuring the services configuration under dynamic profiles, It might be named “converged services”. With converged service CPCD, It is possible to configure separate redirect-url for each subscriber using radius VSA.

Configuration

jtac@ERX-MX960-II-RE0# show services
captive-portal-content-delivery {
    profile converged-profile {
        dynamic; <-- dynamic indicates this is converged CPCD
    }
}
service-set sset2 {
    service-set-options {
        routing-engine-services; <-- To indicate this is RE-Based CPCD
    }
    captive-portal-content-delivery-profile converged-profile;
    interface-service {
        service-interface si-4/0/0; <-- “si” interface is used for RE-Based CPCD
    }
}


jtac@ERX-MX960-II-RE0# show dynamic-profiles REDIRECT
variables {
    redirect-url mandatory;
}
interfaces {
    demux0 {
        unit "$junos-interface-unit" {
            family inet {
                service {
                    input {
                        service-set sset2 service-filter WALLED;
                    }
                    output {
                        service-set sset2 service-filter RETURN;
                    }
                }
            }
        }
    }
}
services {
    captive-portal-content-delivery {
        rule converged-profile {
            match-direction input;
            term T1 {
                then {
                    redirect "$redirect-url";
                }
            }
        }
    }
}


Verify the HTTP redirect service

Use the following CLI command to check that the subscribers have the correct dynamic profile and services:

jtac@ERX-MX960-II-RE0# run show subscribers extensive      
Type: DHCP
User Name: jtac
IP Address: 100.125.6.3
IP Netmask: 255.255.255.0
Domain name server inet: 8.8.4.4
Domain name server inet6: 2001:4860:4860::8844
Logical System: default
Routing Instance: default
Interface: demux0.3221225473
Interface type: Dynamic
Underlying Interface: ae0.406
Dynamic Profile Name: DHCP-TEST
Dynamic Profile Version: 1
MAC Address: 00:16:01:00:00:01
State: Active
Radius Accounting ID: 100004
Session ID: 100004
PFE Flow ID: 40032
Stacked VLAN Id: 1
VLAN Id: 406
Login Time: 2017-04-10 15:08:03 IST
Service Sessions: 1
DHCP Options: len 9
35 01 01 37 04 01 03 3a 3b
IP Address Pool: DHCP
Accounting interval: 1800

   Service Session ID: 100005
   Service Session Name: REDIRECT
   Service Session Version: 2
   State: Active
   Family: inet
   Service Activation time: 2017-04-10 15:08:03 IST
   Dynamic configuration:
     redirect-url: http://192.168.1.1/index.php

jtac@ERX-MX960-II-RE0# run show dynamic-profile session service-id 100005
REDIRECT {
    interfaces {
        demux0 {
            unit 3221225473 {
                family {
                    inet {
                        service {
                                service-set sset2 {
                                }
                            input service-filter WALLED;
                                service-set sset2 {
                                }
                            output service-filter RETURN;
                        }
                    }
                }
            }
        }
    }
    services {
        captive-portal-content-delivery {
            rule converged-profile {
                match-direction input;
                term T1 {
                    then {
                        redirect http://192.168.1.1/index.php;
                    }
                }
            }
        }
    }
}


For the inline service interface statistics, check the number of packets and received and packets processed (shown as the number of packets altered):

jtac@ERX-MX960-II-RE0# run show services captive-portal-content-delivery statistics interface si-4/0/0

service-set interface: si-4/0/0

Packets received   Packets altered  
53                    53       
            
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search