yeah you can either accept the session and apply an http redirect on it instructing the user to pay their bill or whatever is required :) the other option is if you dont want to commit to the session but you want to "penalize" constant connection attempts is to use either mac/rid+cid throttling. this is done at the control plane (pppoe process) but it will allow you to rate limit the session from becoming embryonic (eg entering/completing the discovery phase for pppoe and calling the control policy and its associated actions).

Another option is to use the elephant flow trap, this will rate limit in hardware obscure mac's from those subscribers that you dont want to see punted traffic for for a period of time.

From a user's perspective, I think the "nicest" is to accept the session but with limited service such as a restrictive ACL and using the redirect as you propose as that allows you to give the user some instructions as to why they have the reduced connectivity and likely reducing the calls to your helpdesk.

The "drawback" is here that the redirect only works for non https. For an https-redirect a-like, you'd need to redirect the user offbox to say a raspberry pi running apache SSL server for the page to be displayed. This will still generate a "security" violation when they want to go to https://whateveritis.com and get redirected to your portal, but it allows for the instruction as we are discussing here.

The config you have is effectively the same as an ACL that does a deny any, it wouldn't redirect the user.

If you like to set up "true" http redirect by intercepting the user and move him over to another page, check out this reference that may help.

cheers!

xander

Hi Xander,

Thanks for the response. I've successfully implemented the HTTP redirect feature to inactive users but as you stated the only and major constraint I am facing is to redirect the non HTTP traffic and more specifically HTTPS traffic, as most of the famous websites have been moved to HTTPS like google, facebook and many other so it's merely of no use if doesn't work for HTTPS.

From your previous response I have few queries to get this implemented for HTTPS:

"The "drawback" is here that the redirect only works for non https. For an https-redirect a-like, you'd need to redirect the user offbox to say a raspberry pi running apache SSL server for the page to be displayed. This will still generate a "security" violation when they want to go to https://whateveritis.com and get redirected to your portal, but it allows for the instruction as we are discussing here."

1. Is there config change required over BNG for HTTPS to work?

2. Can you explain above highlighted part in more detail, as I understand a HTTPS server with running apache SSL is required to in order to redirect the HTTPS traffic towards that server. Please comment.

3. How the BNG will intercept the HTTPS traffic because so far what I've tested only port 80 is being matched and rest other traffic was not match though I have mentioned port 443 in the same ACL in order to redirect HTTP traffic. I can share the config if required.

Once again thanks alot for you assistance.

Regards,

Erik