Header Only - DO NOT REMOVE - Extreme Networks

L7 ROLE versio 10.21.01


Userlevel 2
I using L7 roles to authenticate. I created a portal (external portal) to authenticate using GMAIL, WINDOWS (OUTLOOK), OR FACEBOOK login to authenticate.

Create rules L7 with these networks and only facebook not work. The customer authenticate with anothers networks.

I need create L7 rules with permit FACEBOOK, GMAIL. But only gmail Works. Any idea, i use ap 3705 and version 10.21.01

14 replies

You are trying to create a rule that only allows Gmail, Facebook?
Userlevel 2
Yes, gmail, Microsoft.. Works fine.. but facebook not.. I will test with custom to.. and not works
Can you send a screenshot of the rule you are trying to create?
Userlevel 7
AFAIK ... Layer 7 Application policy enforcement requires AP38xx+.
Userlevel 7
https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-AP-Feature-Compatibility-Matrix-in-V1...
Userlevel 2
But if the POLICE is apply on the controller (b@ewc), why ap influence? And why the others app like gmail, Hotmail Works fine
I was under the impression that the 38xx and 39xx series were required because of the flow based architecture of the AP, allowing it to do the AVC portion. But i'm not 100% sure about that.
I was going to say that, but I couldn't find the material.
Userlevel 7
As Jeremy mentioned could you please post a screenshot of the role configuration and the policy rules.
Userlevel 2
Ron wrote:

As Jeremy mentioned could you please post a screenshot of the role configuration and the policy rules.



The customer has a external portal with authenticate on gmail,microsoft and facebook. . The page of facebook not working... gmail and microsoft works fine, the customer review the script of page...The version of controller has upgraded to 10.21.02.0017
Userlevel 7
Works for me - bridge@EWC, V10.21.02, AP3705i, in my case I've blocked traffic as that was easier to test.

Note: it took some minutes before the traffic was blocked so I'm not sure whether I've done something wrong or whether there is some sync happening until it's active.



Have you enabled application visibility on the WLAN service ?

Back to the overall goal...I'm not sure whether I unterstand the setup..
the WLAN service is set to authentication for external captive portal and the screenshot show the unauthenticated traffic role ?
And then in case someone uses facebook, mail it should redirect to the portal and the user needs to authenticate on the portal ?
Userlevel 2
Ron wrote:

Works for me - bridge@EWC, V10.21.02, AP3705i, in my case I've blocked traffic as that was easier to test.

Note: it took some minutes before the traffic was blocked so I'm not sure whether I've done something wrong or whether there is some sync happening until it's active.



Have you enabled application visibility on the WLAN service ?

Back to the overall goal...I'm not sure whether I unterstand the setup..
the WLAN service is set to authentication for external captive portal and the screenshot show the unauthenticated traffic role ?
And then in case someone uses facebook, mail it should redirect to the portal and the user needs to authenticate on the portal ?

Yes, application visibility is enable.
The screenshot show unauthenticated traffic.
Yes, mail, or google redirect because this traffic pass...
On facebook customer will be review the config of facebook portal and i will update you...
Userlevel 6
Hello, Luis!

What solution you use for external portal to authenticate using GMAIL, WINDOWS (OUTLOOK), OR FACEBOOK login to authenticate?

Can you share your solution?
It's just interesting you experience.

Thank you!
Userlevel 7
I've done ECP only with NAC but I think it's the same principle for internal/external which is you get only redirected to the portal if a deny rule is hit in the the unauthenticate role.

As a example take a look right here...
https://community.extremenetworks.com/extreme/topics/how-to-identifi-wireless-appliances-guest-porta...

If I unterstand that correctly that would mean that you'd need to deny mail, facebook so that clients get redirected to the portal if they use mail, facebook - right ?! *confused*

Reply