Facebook login on NAC

  • 0
  • 1
  • Problem
  • Updated 9 months ago
  • Solved
  • (Edited)
Hello
I'm trying to implement Facebook login on NAC, system correctly handle requests till "Register via facebook", and than, as it's starts to redirect me to FB application ( all steps described in help file is done) browser(s) says "Your connection is not private"
Does someone have experience with adding this future?
Photo of Vakhtang Mosidze

Vakhtang Mosidze

  • 254 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Hello, This is a security warning because we are forcing the conversation to between FB and NAC to use the captive portal, which you cannot redirect https: traffic, because it is secure, making it difficult to hijack. So http is used, which will pop this warning if a https site is available, but not used for a host of reasons.

From the help guide (which you followed)
How Facebook Registration Works

Once you have configured Facebook registration using the steps above, the registration process will work like this:

  1. The end user attempts to access an external Web site. Their HTTP traffic is redirected to NAC’s captive portal.
  2. In the Guest Registration Portal, the end user selects the option to register using Facebook.
  3. The end user is redirected to the Facebook login. If Acceptable Use Policy option is configured, the captive portal will verify that the AUP has been acknowledged before redirecting the user to Facebook.
  4. Once logged in, the end user is presented with the information that NAC will receive from Facebook.
  5. The end user grants NAC access to the Facebook information and is redirected back to NAC's captive portal where they see a "Registration in Progress" message.
  6. Facebook provides the requested information to NAC, which uses it to populate the user registration fields.
  7. The registration process completes and network access is granted.
  8. The word "Facebook" is added to the user name so that you can easily search for Facebook registration via the Registration Administration web page.
Photo of fernando

fernando

  • 90 Points 75 badge 2x thumb
where can one find this help guide?
Photo of Vakhtang Mosidze

Vakhtang Mosidze

  • 254 Points 250 badge 2x thumb
Hello and thank you for answer
but, at stage 3- redirect to fb, im getting url as https://facebook.com/dialog/oauth?
response_type=code&client_id=102475110085455&redirect_uri=https://nac.zentyal-

domain.lan/fb_oauth.....
and Crome "says" "Your connection is not private
Attackers might be trying to steal your information from facebook.com (for example, 

passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALIDY"

So, no "Continue" no "Accept risks"...
What to do in this case?
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,650 Points 5k badge 2x thumb
Hello Vakhtang,
This is likely a cert error coming from the NAC appliance itself. Since the client has not loaded the NAC's certificate, or you have not loaded the NAC with a trusted certificate, say from an external cert provider such as Verisign  for example. See this happens in one of my lab setups.

My NAC's IP is 10.0.0.98 as see below.
You can verify what certficates are in play by right clicking on the NAC IP in NAC manager, select Webview -> Select Certificate Diagnostics. See mine below. It's from our company, so Google does not know it's a valid certificate, as we are not also a certificate authority, and your browser has not installed it (this may be impractical for Portal environments.)

I would proceed as proof of concept.
If this fails, then I would open up a Ticket with the GTAC so we can pursue offline.
Photo of Jarek Sobieszek

Jarek Sobieszek

  • 174 Points 100 badge 2x thumb
Hi Mike I have the same issue like Vakhtang Mosidze. I can't approve certificate.
Photo of Jarek Sobieszek

Jarek Sobieszek

  • 174 Points 100 badge 2x thumb
(Edited)
Photo of Vakhtang Mosidze

Vakhtang Mosidze

  • 254 Points 250 badge 2x thumb
Same as me...
Photo of Jarek Sobieszek

Jarek Sobieszek

  • 174 Points 100 badge 2x thumb
I created case on GTAC. I'll notify you about progress.
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
AFAIK that is a problem with Firefox security settings. Did you try i.e. Google Chrome instead of Firefox? Generally there is an issue with redirecting to https sites an as long as you will not have trust public cert in naps web server that will happened
Photo of Vakhtang Mosidze

Vakhtang Mosidze

  • 254 Points 250 badge 2x thumb
Same result's with all browsers. Yes, you'r right, problem is with certificate. But, I thinks certificate can be ommited
Photo of Piotr Owczarek

Piotr Owczarek

  • 514 Points 500 badge 2x thumb
Do You have certificate uploaded to NAC Appliance?
Photo of Vakhtang Mosidze

Vakhtang Mosidze

  • 254 Points 250 badge 2x thumb
Solved!
1) in external portal configuration on EWC uri use http fqdn to NAC 
2) in NAC portal profile uncheck "Force captve portal to use HTTPS
3) Add http://nac_portal/fb_oauth? to Fb application allowed domain's
Photo of Leonardo Peixoto

Leonardo Peixoto

  • 2,722 Points 2k badge 2x thumb
Hi Guys,

Resuming this conversation, I'm still in trouble..


I have a customer willing to enable social media authentication with NAC (ExtremeWireless 10.41.02.0014 and NAC 8.1.1.4). His TOP priority is to enable Facebook login.

I've already configured Google and Microsoft logins and both work like a charm (using L7 rules B@AP topology), but Facebook still a mess.

The L7 rules allowing Facebook (default and the custom I've created) seems not to work.

Already tried using the HTTP NAC Portal, but when it jumps to Facebook I got the HSTS problem (when enabling HTTPS redirection) or no access (if I deny HTTPS after allow L7 rules).

The only way I found is to allow all HTTPS, but this is unacceptable for the customer.

Already tried to mess with "Allowed Sites" on NAC, but I had no luck.

I'm running out of ideas (and time)... Anyone have any idea?

Thanks!

-Leo
Photo of Drew C.

Drew C., Community Manager

  • 40,586 Points 20k badge 2x thumb
Forking this conversation to its own thread for better visibility.

Please reference the new conversation here: Using Facebook for NAC Login