L7 ROLE versio 10.21.01

  • 0
  • 1
  • Problem
  • Updated 1 year ago
  • Solved

I using L7 roles to authenticate. I created a portal (external portal) to authenticate using GMAIL, WINDOWS (OUTLOOK), OR FACEBOOK login to authenticate.

 Create rules L7 with these networks and only facebook not work. The customer authenticate with anothers networks. 

  I need create L7 rules with permit FACEBOOK, GMAIL. But only gmail Works. Any idea, i use ap 3705 and version 10.21.01



Photo of Luis Mendes

Luis Mendes

  • 1,688 Points 1k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
You are trying to create a rule that only allows Gmail, Facebook?
Photo of Luis Mendes

Luis Mendes

  • 1,688 Points 1k badge 2x thumb
Yes, gmail, Microsoft.. Works fine.. but facebook not.. I will test with custom to.. and not works
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
Can you send a screenshot of the rule you are trying to create? 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,538 Points 20k badge 2x thumb
AFAIK ... Layer 7 Application policy enforcement requires AP38xx+. 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,538 Points 20k badge 2x thumb
Photo of Luis Mendes

Luis Mendes

  • 1,688 Points 1k badge 2x thumb
But if the POLICE is apply on the controller (b@ewc), why ap influence? And why the others app like gmail, Hotmail Works fine
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
I was under the impression that the 38xx and 39xx series were required because of the flow based architecture of the AP, allowing it to do the AVC portion.  But i'm not 100% sure about that.
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
I was going to say that, but I couldn't find the material. 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,538 Points 20k badge 2x thumb
As Jeremy mentioned could you please post a screenshot of the role configuration and the policy rules.
Photo of Luis Mendes

Luis Mendes

  • 1,688 Points 1k badge 2x thumb

The customer has a external portal with authenticate on gmail,microsoft and facebook. . The page of facebook not working... gmail and microsoft works fine, the customer review the script of page...The version of controller has upgraded to 10.21.02.0017

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,538 Points 20k badge 2x thumb
Works for me - bridge@EWC, V10.21.02, AP3705i, in my case I've blocked traffic as that was easier to test.

Note: it took some minutes before the traffic was blocked so I'm not sure whether I've done something wrong or whether there is some sync happening until it's active.



Have you enabled application visibility on the WLAN service ?

Back to the overall goal...I'm not sure whether I unterstand the setup..
the WLAN service is set to authentication for external captive portal and the screenshot show the unauthenticated traffic role ?
And then in case someone uses facebook, mail it should redirect to the portal and the user needs to authenticate on the portal ?
Photo of Luis Mendes

Luis Mendes

  • 1,688 Points 1k badge 2x thumb
Yes, application visibility is enable. 
The screenshot show unauthenticated traffic. 
Yes, mail, or google redirect because this traffic pass... 
On facebook customer will be review the config of facebook portal and i will update you... 
Photo of Alexandr P

Alexandr P, Embassador

  • 12,192 Points 10k badge 2x thumb
Hello, Luis!

What solution you use for external portal to authenticate using GMAIL, WINDOWS (OUTLOOK), OR FACEBOOK login to authenticate?

Can you share your solution?
It's just interesting you experience.

Thank you!
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 47,538 Points 20k badge 2x thumb
I've done ECP only with NAC but I think it's the same principle for internal/external which is you get only redirected to the portal if a deny rule is hit in the the unauthenticate role.

As a example take a look right here...
https://community.extremenetworks.com/extreme/topics/how-to-identifi-wireless-appliances-guest-porta...

If I unterstand that correctly that would mean that you'd need to deny mail, facebook so that clients get redirected to the portal if they use mail, facebook - right ?! *confused*