topic RE: Using Facebook for NAC Login in ExtremeCloud IQ- Site Engine Management Center

Using Facebook for NAC Login

LeoP1 — Thu, 15 Feb 2018 05:04:00 GMT

Hi Guys,

Resuming this conversation, I'm still in trouble..

I have a customer willing to enable social media authentication with NAC (ExtremeWireless 10.41.02.0014 and NAC 8.1.1.4). His TOP priority is to enable Facebook login.

I've already configured Google and Microsoft logins and both work like a charm (using L7 rules B@AP topology), but Facebook still a mess.

The L7 rules allowing Facebook (default and the custom I've created) seems not to work.

Already tried using the HTTP NAC Portal, but when it jumps to Facebook I got the HSTS problem (when enabling HTTPS redirection) or no access (if I deny HTTPS after allow L7 rules).

The only way I found is to allow all HTTPS, but this is unacceptable for the customer.

Already tried to mess with "Allowed Sites" on NAC, but I had no luck.

I'm running out of ideas (and time)... Anyone have any idea?

Thanks!

-Leo Note: This conversation was created from a reply on: Facebook login on NAC.

RE: Using Facebook for NAC Login

John_Moore — Thu, 15 Feb 2018 22:21:00 GMT

Hi Leonardo,

I believe the "Special Deployment Considerations" section in the link below has the information you're looking for in terms of which domains you must allow for Facebook Registration to function properly.

http://emc.extremenetworks.com/content/oneview/docs/control/access_control/docs/portal_config/l_ov_i...

Please let us know if that doesn't work.

Thank you,

John

RE: Using Facebook for NAC Login

LeoP1 — Thu, 15 Feb 2018 22:56:00 GMT

Hi John,

I've already tried this config... Both L7 hostname rule on wireless controller (and creating the DNS proxy domains as L7 rules) or Allowed Domains at NAC and I got the same results.

As I said, Google and MS works perfectly, but it seems that the Controller L7 rules for Facebook (hostname facebook.com) aren't working, and it still trying to redirect (it doesn't happen with the google or MS rules).

Maybe a Controller issue? There's any way to debug it (seeing what got "allowed" and what hits the botton Redirect rule)?

Thanks!

-Leo

RE: Using Facebook for NAC Login

LeoP1 — Fri, 16 Feb 2018 02:51:00 GMT

Hi guys,

I was working on some tests, and I found that, by some odd reason, the L7 hostname rule for facebook.com seems to be really ignored by AP (creating other similar rules works fine).

It looks like the facebook.com is getting redirected instead of allowed...

Any ideas?

RE: Using Facebook for NAC Login

John_Moore — Sat, 17 Feb 2018 02:50:00 GMT

Hi Leo,

I spoke with the developer who is in charge of the guest registration functionality and he is now looking into it. Let me know if you have any other questions or if you uncover any additional clues.

Thanks again!

John

RE: Using Facebook for NAC Login

Ronald_Dvorak — Sat, 17 Feb 2018 02:50:00 GMT

As far as I unterstand that is a issue with the AP L7 rule and has nothing to do with EMC/Control so someone from the IdentiFi team need to look into it.

Here another post that looks like the same issue....
https://community.extremenetworks.com/extreme/topics/l7-role-versio-10-21-01

RE: Using Facebook for NAC Login

Ronald_Dvorak — Sat, 17 Feb 2018 03:10:00 GMT

Leo, what AP model is used in the deployment ?

RE: Using Facebook for NAC Login

LeoP1 — Sat, 17 Feb 2018 03:30:00 GMT

Hi Ronald,

I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.

I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.

Best regards,

-Leo

RE: Using Facebook for NAC Login

Ronald_Dvorak — Sat, 17 Feb 2018 03:30:00 GMT

Could you post a screenshot of the unauth and auth role rules.

RE: Using Facebook for NAC Login

LeoP1 — Sat, 17 Feb 2018 03:30:00 GMT

Sure!

Follows some screenshots. The Auth role works fine.

Please, forgive some additional L7 hostname rules I added just to try to make it work (after some sniffing), but without success.

Best regards,
-Leo

RE: Using Facebook for NAC Login

Gareth_Mitchell — Sat, 17 Feb 2018 03:30:00 GMT

Hi Leonardo

I think it would be best if you open a case with GTAC, could you please take a packet capture on the client so we can take a look at the HTTP traffic?

-Gareth

Re: Using Facebook for NAC Login

jerrygen — Mon, 25 Aug 2025 10:20:33 GMT

Hi Leo,

I get where you’re stuck. Facebook login is always a bit trickier with NAC compared to Google or Microsoft because of the strict HSTS enforcement. The redirect loop usually happens because the NAC portal can’t properly handle the HTTPS handshake before Facebook forces secure connections. That’s why you’re only seeing success when you allow all HTTPS traffic.

A cleaner way is to explicitly whitelist the domains that Facebook needs for authentication. Instead of just facebook.com, you’ll need to add a handful of supporting domains like fbcdn.net, akamaihd.net, facebook.net, and sometimes messenger.com into the NAC “Allowed Sites” list. This ensures the login page and supporting scripts can load without you having to open HTTPS globally. Also, double-check that your L7 rule isn’t getting bypassed by DNS resolution quirks—sometimes pushing a manual DNS override for Facebook helps stabilize access.

Another option is to switch your NAC portal to use full HTTPS instead of HTTP+redirect. You’ll need a proper SSL cert trusted by browsers to avoid HSTS blocks. That way the initial handshake is already secure, and Facebook won’t complain when the login page tries to load.

Think of it like Snapchat filters on https://snapplanetshub.com/ you don’t just unlock one effect, you have to load all the hidden assets in the background to make it work. Facebook login is similar: unless NAC knows all the “extra filters” (domains and scripts) that Facebook depends on, the experience breaks halfway. Unlock all those, and the customer’s login flow should snap right into place.

Regards

Re: Using Facebook for NAC Login

alijaan897 — Fri, 14 Nov 2025 15:49:18 GMT

The issue with enabling Facebook login on ExtremeWireless NAC is primarily related to HTTPS and HSTS enforcement, which makes it different from Google or Microsoft logins. Facebook enforces strict HTTPS with HSTS, so any attempt to intercept or redirect traffic at Layer 7 (L7 rules) without proper certificate handling will fail. When you enable HTTPS redirection on the NAC portal, the HSTS policy prevents the browser from accepting the NAC’s certificate, causing login failures, and if you disable HTTPS enforcement, the portal cannot communicate securely with Facebook, resulting in no access.

Unlike Google or Microsoft, Facebook does not allow man-in-the-middle inspection without proper SSL termination, so L7 rules alone aren’t sufficient. The recommended approach is to either use NAC’s built-in social media authentication module specifically designed for Facebook (which handles OAuth and HTTPS properly) or configure SSL bridging with trusted certificates to allow secure Facebook login without opening full HTTPS access to all sites. Without one of these approaches, restricting access while supporting Facebook login is extremely difficult due to HSTS and HTTPS enforcement.

Additionally, when considering social media logins like Facebook, it’s useful to keep in mind how other apps handle connections, such as Snapchat with its Snapchat Planet feature. Just like Facebook, Snapchat relies on secure connections and multiple backend services to provide real-time features and location-based interactions. Any NAC configuration that attempts to restrict HTTPS or filter traffic too aggressively can interfere with these kinds of features, so planning social media authentication requires understanding that apps like Snapchat Planet or any feature that relies on multiple endpoints and secure connections—may behave similarly under strict network policies. This highlights the importance of using proper authentication modules or SSL handling rather than broad allow-all rules.