(RADIATOR) Forced URL

Viraj Alankar valankar at ifxcorp.com
Thu Sep 6 11:56:56 CDT 2001 

----- Forwarded message from Viraj Alankar <valankar at ifxcorp.com> -----

Date: Thu, 6 Sep 2001 12:36:55 -0400
From: Viraj Alankar <valankar at ifxcorp.com>
To: Amit Anand <Aanand at imedlink.net>
Subject: Re: (RADIATOR) Forced URL

On Thu, Sep 06, 2001 at 11:15:08AM -0400, Amit Anand wrote:
> Hello all:
> 
> I was wondering if there is a way within Radius to make users goto a
> particular URL after they have been authenticated. Sort of like a filter
> designed to make people visit a certain website first, and then after they
> can go out into the world. I would really appreciate any input any of you
> all could give me if you have done this or know how to do it. Thanks alot!!

Hello Amit,

Depending on your RAS, you may be able to redirect users ALWAYS to a web page,
but as far as just doing that initially, and then letting them browse
elsewhere, I don't think it's possible.

We have implemented simple redirects for Ascend/Lucent devices. Our solution
involves sending DNS attributes in the radius response, and running a bogus
DNS server that always returns one IP.

For example, say I have a bogus DNS setup as 1.2.3.4, that always returns the
IP 5.6.7.8. This means any user using this DNS will get redirected to 5.6.7.8
no matter where they browse.

I send back in the radius reply the following to enforce this DNS restriction
as well as IP filters to block them from using another DNS or going to other
hosts:

        Ascend-Client-Primary-DNS = 1.2.3.4,
        Ascend-Client-Secondary-DNS = 1.2.3.4,
        Ascend-Client-Assign-DNS = DNS-Assign-Yes,
        Ascend-Data-Filter = "ip in forward dstip 1.2.3.4/32 udp dstport = 53",
        Ascend-Data-Filter = "ip in forward dstip 5.6.7.8/32 tcp dstport = 80",
        Ascend-Data-Filter = "ip in drop",
        Ascend-Data-Filter = "ip out forward"

We then use BIND 8 and a config similar to:

zone "." {
        type master;
        file "named.redirect.hosts";
};

and named.redirect.hosts containing something like:

$TTL 1D
@       IN      SOA     .       hostmaster.mydomain.com. (
        5
        8H
        2H
        1W
        1D )

        IN      NS      1.2.3.4

*.      IN      A       5.6.7.8

4.3.2.1.in-addr.arpa.           IN      PTR     mydns.mydomain.com.

Hope that helps.

Viraj.



----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20010906/b85e24aa/attachment.bin>

More information about the radiator mailing list