Without the use of radius or PPPOE for account authentication, Iv found its difficult to find a solution for Walled Garaden. Since that is the case in my situation I came up with a rather unique way to satisfy the need to capture payment by walling in the customers service rather then simply turning off their service. This improved after hours reconnect service orders and reduced phone calls to reconnect service.
If you are unsure what a walled garden is in the SP industry use this link to wikipedia
First, I created a separate IP network that would become my walled network, in this case 192.168.255.0/24. This network is setup and a BVI (Bridged Virtual Interface) so that I can span it across multiple broadcast domains and routers without building separate ACL(s) and DHCP pools, I then attached the BVI to a vlan (999) on the OLT. I then created a DHCP pool (250 IPs) with a 5 minute lease time that hands our DNS servers as the DNS option in the lease (Cache1 – 172.20.206.83, Cache2 – 172.20.10.91)
Second, I built a view in the Efficient IP DNS caching server (smart). Views essentially can be configured to look at source host IP and treat them differently then the other DNS traffic, by giving them different results to queries. If you don't use Efficient IP for DNS you can use BIND on Linux and deploy a dedicated DNS server to do this function. Then in that new view (Elevate_Walled) I was able to high jack the TLDs (top level domains) and setup an A record wildcard in each TLD to point to my Apache server that then performs a meta redirect to smart hub (our pay portal) immediately. Then I created an ACL that walls the user in to only talk to the DNS server, DHCP server, Apache server and smart hub but no where else.
Third, I setup the Apache web server (172.20.206.15) using some http it then performs a meta redirect to pay payyourbill.com You will also need to setup a redirect match rule in Apache that can grab any domain and redirect it. For example google.com/search/images/dogs Apache grabs that http get request and strips off the trailer directories and forces it into the TLD in this case google.com and then the redirects take over from there to deliver the user always to payyourbill.com
Fourth, in sis (billing/provisioning system) when a DNP (did not pay) is performed, SIS re-provisions the RG (router gateway) service to the @Walled tag action in CMS (Calix Management System) that puts the RG service on VLAN 999 until the user logs in and pays their bill at that time SIS reprovisions the RG service back to the previous service tag action.
Testing, I set myself up as a client in the @walled tag action and did some testing. I got a DHCP address from the DHCP server that delivered the unique IPs of the modified DNS servers, I was able get a query hit on any TLD that resolved any to the Apachae web server. Of coarse browser caching will be a nuisance but Iv got 100% positive results from my testings.
Build the ACL (you may have to do a PCAP to get the IP of the legit destinations)
ipv4 access-list walled-garden 10 permit tcp any host 172.20.206.15 <Apache server running meta redirect as index.html> 20 permit udp any host 172.20.206.83 <DNS Cache 1 with modified zone file> 30 permit udp any host 172.20.10.91 <DNS Cache 2 with modified zone file> 40 permit tcp any host 126.96.36.199 <payyourbill.com> 41 permit tcp any host 188.8.131.52 <payyourbill.com payment processing> 42 permit tcp any host 184.108.40.206 <payyourbill.com payment processing 2> 50 permit ipv4 host 172.20.206.46 any <DHCP Server 1> 60 permit ipv4 host 172.20.10.12 any <DHCP Server 1> 100 deny ipv4 any any
Some time ago my instance of Prime 3.8 lost ~ about half of its mapping data. Any means to determine when the event occurred so I can reach back and do a restore? AP positioning's are not otherwise recorded and will be a bit difficult to recov...
I have two primary windows domain controllers with separate ip addresses. I would like one to act as a primary DNS and the other secondary. How do i get my cisco router to dynamically assign the the two windows DNS server ip addresses to all clients withi...
Good day,I have a windows domain controller that has the DHCP role installed. The DHCP role issues out IP addresses,. I would now like like the cisco router to issue out IP addresses to clients within my domain. What is the process of setting this up ?Rou...
Hey, I need a bit of help. I need to set up a remote access port forward to a machine existing in a vrf. Because it's in a vrf I cannot use the interface command, I can only specify the wan IP. I have no option for a static IP so i ne...
Hello Team, We are configuring dot1x on ASR1001-x, the configuration is detailed below: Router(config)# dot1x system-auth-control
Router(config)# aaa new-model
Router(config)# aaa authentication dot1x default group radius