Using Facebook for NAC Login

  • 14 February 2018
  • 10 replies
  • 442 views

Userlevel 4
  • Participator
  • 123 replies
Hi Guys,

Resuming this conversation, I'm still in trouble..

I have a customer willing to enable social media authentication with NAC (ExtremeWireless 10.41.02.0014 and NAC 8.1.1.4). His TOP priority is to enable Facebook login.

I've already configured Google and Microsoft logins and both work like a charm (using L7 rules B@AP topology), but Facebook still a mess.

The L7 rules allowing Facebook (default and the custom I've created) seems not to work.

Already tried using the HTTP NAC Portal, but when it jumps to Facebook I got the HSTS problem (when enabling HTTPS redirection) or no access (if I deny HTTPS after allow L7 rules).

The only way I found is to allow all HTTPS, but this is unacceptable for the customer.

Already tried to mess with "Allowed Sites" on NAC, but I had no luck.

I'm running out of ideas (and time)... Anyone have any idea?

Thanks!

-Leo Note: This conversation was created from a reply on: Facebook login on NAC.

10 replies

Userlevel 3
Hi Leonardo,

I believe the "Special Deployment Considerations" section in the link below has the information you're looking for in terms of which domains you must allow for Facebook Registration to function properly.

http://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/portal_config/l_ov_i...

Please let us know if that doesn't work.

Thank you,

John
Userlevel 4
Hi John,

I've already tried this config... Both L7 hostname rule on wireless controller (and creating the DNS proxy domains as L7 rules) or Allowed Domains at NAC and I got the same results.

As I said, Google and MS works perfectly, but it seems that the Controller L7 rules for Facebook (hostname facebook.com) aren't working, and it still trying to redirect (it doesn't happen with the google or MS rules).

Maybe a Controller issue? There's any way to debug it (seeing what got "allowed" and what hits the botton Redirect rule)?

Thanks!

-Leo
Userlevel 4
Hi guys,

I was working on some tests, and I found that, by some odd reason, the L7 hostname rule for facebook.com seems to be really ignored by AP (creating other similar rules works fine).

It looks like the facebook.com is getting redirected instead of allowed...

Any ideas?
Userlevel 3
Hi Leo,

I spoke with the developer who is in charge of the guest registration functionality and he is now looking into it. Let me know if you have any other questions or if you uncover any additional clues.

Thanks again!

John
Userlevel 7
Hi Leo,

I spoke with the developer who is in charge of the guest registration functionality and he is now looking into it. Let me know if you have any other questions or if you uncover any additional clues.

Thanks again!

John
As far as I unterstand that is a issue with the AP L7 rule and has nothing to do with EMC/Control so someone from the IdentiFi team need to look into it.

Here another post that looks like the same issue....
https://community.extremenetworks.com/extreme/topics/l7-role-versio-10-21-01
Userlevel 7
Leo, what AP model is used in the deployment ?
Userlevel 4
Hi Ronald,

I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.

I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.

Best regards,

-Leo
Userlevel 7
Hi Ronald,

I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.

I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.

Best regards,

-Leo
Could you post a screenshot of the unauth and auth role rules.
Userlevel 4
Hi Ronald,

I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.

I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.

Best regards,

-Leo
Sure!

Follows some screenshots. The Auth role works fine.

Please, forgive some additional L7 hostname rules I added just to try to make it work (after some sniffing), but without success.

Best regards,
-Leo






Userlevel 6
Hi Ronald,

I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.

I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.

Best regards,

-Leo
Hi Leonardo

I think it would be best if you open a case with GTAC, could you please take a packet capture on the client so we can take a look at the HTTP traffic?

-Gareth

Reply