ExtremeCloud IQ- Site Engine & Extreme Management Center

 View Only
  • 1.  Captive Portal HTTP Mirroring

    Posted 07-08-2016 06:29
    Hi,

    in the NAC-Manager manual is an alternative for web(httP) redirection mentioned. It's called "Captive Portal HTTP Mirroring"! This is the alternative for DNS-Proxy and/or Policy based Routing.
    Can somebody explain how Captive Portal HTTP Mirroring works exactly. I can't find anything about that in manuals?
    What are the configuration steps to implement this type of web redirection? Which requirements are needed for this type of configuration?

    Thanks Ronny


  • 2.  RE: Captive Portal HTTP Mirroring

    Posted 07-11-2016 11:50
    Hello, This is a way to perform NAC's Captive Portal without a traditional redirect method such as PBR or Wireless redirect or even DNS Proxy. The HTTP traffic would get mirrored to NAC using a switch that supports either a policy (like the N or S series Enetrasys switch) or an ACL etc. Once the mirrored HTTP traffic reaches the NAC with the "Captive Portal HTTP Mirroring" enabeld, NAC will send back the login to the End System just like it does with PBR or wireless redirect during MAC Registration for example.

    Note that your topology must be setup such that the NAC End System's traffic is mirrored to the NAC interface, therefore logically becoming an "inline" solution rather than being out of band as it normally would be. I dont know of any documentation for this but you can review the documentation in the Extrannet:

    https://extranet.extremenetworks.com/downloads/Pages/NMS.aspx

    Regards,
    Scott Keene



  • 3.  RE: Captive Portal HTTP Mirroring

    Posted 07-11-2016 12:02
    ...one more thing to note here is that most of the configuration for this is done on the switch that will be mirroring the traffic to the NAC (such as Policy-based Mirroring on an N or S series switch). For these switches you can use Policy Manager or switch cli to configure the necessary policies and mirrors. You will also likely need an ACL somewhere to prevent the End Systems' HTTP traffic from making it to the Internet...so that NAC can answer it. The only configuration in NAC would be enabling the feature and "Enforcing" that change to the NAC appliance. Typically this is a custom solution that may require assistance from an on-sit Engineer.

    -Scott Keene