US 11,658,976 B2
Captive portal redirection and network access restriction of device using a single access control list
Manish Singhvi, Rajasthan (IN); Ganesan Rajagopal, Bangalore (IN); Ziqian Xu, Milpitas, CA (US); and Leandro Penz, Dublin (IE)
Assigned to ARISTA NETWORKS, INC., Santa Clara, CA (US)
Filed by Arista Networks, Inc., Santa Clara, CA (US)
Filed on Mar. 12, 2021, as Appl. No. 17/199,513.
Claims priority of application No. 202141003603 (IN), filed on Jan. 27, 2021.
Prior Publication US 2022/0239654 A1, Jul. 28, 2022
Int. Cl. G06F 21/62 (2013.01); H04L 9/40 (2022.01); H04L 12/903 (2013.01); H04L 12/859 (2013.01)
CPC H04L 63/101 (2013.01) [H04L 63/0245 (2013.01); H04L 63/0876 (2013.01); H04L 63/20 (2013.01)] 16 Claims
OG exemplary drawing
 
1. A method for redirecting, by a network device, a host to a captive portal, the method comprising:
prior to receiving an incoming frame, obtaining, by an access control list (ACL) manager, a unified ACL from an authentication server;
programming, using the unified ACL, a custom redirect rule on an ACL enforcer in network device hardware;
receiving, by network device hardware of the network device, the incoming frame originating from the host, wherein the incoming frame comprises a payload specifying information associated with an external server, wherein a user of the host has not been authenticated by the captive portal at a time when the incoming frame is received by the network device hardware;
matching, by the network device hardware, at least a portion of the incoming frame to a custom redirect rule of the unified ACL implemented in the network device hardware;
in response to the matching, forwarding, by the network device hardware, the incoming frame towards an internal redirection server executing on the network device, wherein the custom redirect rule prevents the incoming frame from being forwarded towards the external server and simultaneously redirects the incoming frame to the internal redirection server;
receiving, by the network device hardware, a redirection frame, wherein a payload of the redirection frame is generated by the internal redirection server using at least a portion of the incoming frame; and
transmitting the redirection frame towards the host.