https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54939#M6369 I've done ECP only with NAC but I think it's the same principle for internal/external which is you get only redirected to the portal if a deny rule is hit in the the unauthenticate role.<BR /> <BR /> As a example take a look right here...<BR /> <A href="https://community.extremenetworks.com/extreme/topics/how-to-identifi-wireless-appliances-guest-portal" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extreme/topics/how-to-identifi-wireless-appliances-guest-porta...</A><BR /> <BR /> If I unterstand that correctly that would mean that you'd need to deny mail, facebook so that clients get redirected to the portal if they use mail, facebook - right ?! *confused* Tue, 28 Feb 2017 21:44:00 GMT Ronald_Dvorak 2017-02-28T21:44:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54925#M6355 I using L7 roles to authenticate. I created a portal (external portal) to authenticate using GMAIL, WINDOWS (OUTLOOK), OR FACEBOOK login to authenticate. <BR /> <BR /> Create rules L7 with these networks and only facebook not work. The customer authenticate with anothers networks. <BR /> <BR /> I need create L7 rules with permit FACEBOOK, GMAIL. But only gmail Works. Any idea, i use ap 3705 and version 10.21.01<BR /> <BR /> Tue, 28 Feb 2017 02:53:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54925#M6355 Luis_Mendes 2017-02-28T02:53:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54926#M6356 You are trying to create a rule that only allows Gmail, Facebook? Tue, 28 Feb 2017 03:35:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54926#M6356 Jeremy_Gibbs 2017-02-28T03:35:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54927#M6357 Can you send a screenshot of the rule you are trying to create? <BR /> <BR /> Tue, 28 Feb 2017 03:39:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54927#M6357 Jeremy_Gibbs 2017-02-28T03:39:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54928#M6358 Yes, gmail, Microsoft.. Works fine.. but facebook not.. I will test with custom to.. and not works Tue, 28 Feb 2017 03:39:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54928#M6358 Luis_Mendes 2017-02-28T03:39:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54929#M6359 AFAIK ... Layer 7 Application policy enforcement requires AP38xx+. <BR /> Tue, 28 Feb 2017 03:43:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54929#M6359 Ronald_Dvorak 2017-02-28T03:43:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54930#M6360 <A href="https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-AP-Feature-Compatibility-Matrix-in-V10-11" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/Q_A/What-is-AP-Feature-Compatibility-Matrix-in-V1...</A><BR /> <BR /> Tue, 28 Feb 2017 03:44:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54930#M6360 Ronald_Dvorak 2017-02-28T03:44:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54931#M6361 But if the POLICE is apply on the controller (b@ewc), why ap influence? And why the others app like gmail, Hotmail Works fine Tue, 28 Feb 2017 03:44:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54931#M6361 Luis_Mendes 2017-02-28T03:44:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54932#M6362 I was under the impression that the 38xx and 39xx series were required because of the flow based architecture of the AP, allowing it to do the AVC portion. But i'm not 100% sure about that. Tue, 28 Feb 2017 03:44:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54932#M6362 Jeremy_Gibbs 2017-02-28T03:44:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54933#M6363 I was going to say that, but I couldn't find the material. Tue, 28 Feb 2017 03:55:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54933#M6363 Jeremy_Gibbs 2017-02-28T03:55:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54934#M6364 As Jeremy mentioned could you please post a screenshot of the role configuration and the policy rules. Tue, 28 Feb 2017 04:46:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54934#M6364 Ronald_Dvorak 2017-02-28T04:46:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54935#M6365 <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="3bf8eb49260a470987bab152cbba1721_RackMultipart20170227-86335-1p3g543-UNISINOS_inline.jpg"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/973iF6A54F686A789A4E/image-size/large?v=v2&amp;px=999" role="button" title="3bf8eb49260a470987bab152cbba1721_RackMultipart20170227-86335-1p3g543-UNISINOS_inline.jpg" alt="3bf8eb49260a470987bab152cbba1721_RackMultipart20170227-86335-1p3g543-UNISINOS_inline.jpg" /></span></P><BR /> <BR /> The customer has a external portal with authenticate on gmail,microsoft and facebook. . The page of facebook not working... gmail and microsoft works fine, the customer review the script of page...The version of controller has upgraded to 10.21.02.0017<BR /> <BR /> Tue, 28 Feb 2017 04:46:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54935#M6365 Luis_Mendes 2017-02-28T04:46:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54936#M6366 Works for me - bridge@EWC, V10.21.02, AP3705i, in my case I've blocked traffic as that was easier to test.<BR /> <BR /> Note: it took some minutes before the traffic was blocked so I'm not sure whether I've done something wrong or whether there is some sync happening until it's active.<BR /> <BR /> <P class="fancybox-image"><span class="lia-inline-image-display-wrapper" image-alt="59274111038a4d738c97d92a1d5bfb87_RackMultipart20170227-104265-14ajfxa-EWC_L7_inline.png"><img src="https://community.extremenetworks.com/t5/image/serverpage/image-id/4809i5A8F33FB8F19DBF9/image-size/large?v=v2&amp;px=999" role="button" title="59274111038a4d738c97d92a1d5bfb87_RackMultipart20170227-104265-14ajfxa-EWC_L7_inline.png" alt="59274111038a4d738c97d92a1d5bfb87_RackMultipart20170227-104265-14ajfxa-EWC_L7_inline.png" /></span></P><BR /> <BR /> Have you enabled application visibility on the WLAN service ?<BR /> <BR /> Back to the overall goal...I'm not sure whether I unterstand the setup.. <BR /> the WLAN service is set to authentication for external captive portal and the screenshot show the unauthenticated traffic role ?<BR /> And then in case someone uses facebook, mail it should redirect to the portal and the user needs to authenticate on the portal ?<BR /> Tue, 28 Feb 2017 06:19:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54936#M6366 Ronald_Dvorak 2017-02-28T06:19:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54937#M6367 Yes, application visibility is enable. <BR /> The screenshot show unauthenticated traffic. <BR /> Yes, mail, or google redirect because this traffic pass... <BR /> On facebook customer will be review the config of facebook portal and i will update you... Tue, 28 Feb 2017 06:19:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54937#M6367 Luis_Mendes 2017-02-28T06:19:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54938#M6368 Hello, Luis!<BR /> <BR /> What solution you use for external portal to authenticate using GMAIL, WINDOWS (OUTLOOK), OR FACEBOOK login to authenticate?<BR /> <BR /> Can you share your solution?<BR /> It's just interesting you experience.<BR /> <BR /> Thank you! Tue, 28 Feb 2017 13:55:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54938#M6368 Alexandr_P 2017-02-28T13:55:00Z https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54939#M6369 I've done ECP only with NAC but I think it's the same principle for internal/external which is you get only redirected to the portal if a deny rule is hit in the the unauthenticate role.<BR /> <BR /> As a example take a look right here...<BR /> <A href="https://community.extremenetworks.com/extreme/topics/how-to-identifi-wireless-appliances-guest-portal" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extreme/topics/how-to-identifi-wireless-appliances-guest-porta...</A><BR /> <BR /> If I unterstand that correctly that would mean that you'd need to deny mail, facebook so that clients get redirected to the portal if they use mail, facebook - right ?! *confused* Tue, 28 Feb 2017 21:44:00 GMT https://community.extremenetworks.com/t5/extremewireless-identifi/l7-role-versio-10-21-01/m-p/54939#M6369 Ronald_Dvorak 2017-02-28T21:44:00Z