ESR Series Routers Operation Manual
103
The traffic from trusted zone is blocked before authentication as well as DHCP and DNS requests.
You need to configure allowing rules in order to pass DHCP and DNS requests:
esr(config)#
ip access-list extended DHCP
esr(config-acl)#
rule 10
esr(config-acl-rule)#
action permit
esr(config-acl-rule)#
match protocol udp
esr(config-acl-rule)#
match source-address any
esr(config-acl-rule)#
match destination-address any
esr(config-acl-rule)#
match source-port 68
esr(config-acl-rule)#
match destination-port 67
esr(config-acl-rule)#
enable
esr(config-acl-rule)#
exit
esr(config-acl)#
rule 11
esr(config-acl-rule)#
action permit
esr(config-acl-rule)#
match protocol udp
esr(config-acl-rule)#
match source-address any
esr(config-acl-rule)#
match destination-address any
esr(config-acl-rule)#
match source-port any
esr(config-acl-rule)#
match destination-port 53
esr(config-acl-rule)#
enable
esr(config-acl-rule)#
exit
esr(config-acl)#
exit
Then, create rules for redirecting to portal and passing traffic to the Internet:
esr(config)#
ip access-list extended WELCOME
esr(config-acl)#
rule 10
esr(config-acl-rule)#
action permit
esr(config-acl-rule)#
match protocol any
esr(config-acl-rule)#
match source-address any
esr(config-acl-rule)#
match destination-address any
esr(config-acl-rule)#
enable
esr(config-acl-rule)#
exit
esr(config-acl)#
exit
esr (config)#
ip access-list extended INTERNET
esr(config-acl)#
rule 10
esr(config-acl-rule)#
action permit
esr(config-acl-rule)#
match protocol any
esr(config-acl-rule)#
match source-address any
esr(config-acl-rule)#
match destination-address any
esr(config-acl-rule)#
enable
esr(config-acl-rule)#
exit
esr(config-acl)#
exit
Specify web resources which are available without authorization:
esr(config)#
object-group url defaultservice
esr(config-object-group-url)#
url http://eltex.nsk.ru
esr(config-object-group-url)#
exit
The URL filtering lists are kept on SoftWLC server (you need to change only IP address of SoftWLC
server, if addressing is different from the example. Leave the rest of URL without changes):
esr(config)#
subscriber-control filters-server-url
http://192.0.2.20:7070/Filters/file/
Configure and enable BRAS, define NAS IP as address of the interface interacting with SoftWLC
(gigabitethernet 1/0/24 in the example):
esr(config)#
subscriber-control
esr(config-subscriber-control)#
aaa das-profile CoA
esr(config-subscriber-control)#
aaa sessions-radius-profile RADIUS
esr(config-subscriber-control)#
nas-ip-address 192.0.2.1
esr(config-subscriber-control)#
session mac-authentication