Extreme Networks

LeoP1 · ‎02-14-2018

Hi Guys,

Resuming this conversation, I'm still in trouble..

I have a customer willing to enable social media authentication with NAC (ExtremeWireless 10.41.02.0014 and NAC 8.1.1.4). His TOP priority is to enable Facebook login.

I've already configured Google and Microsoft logins and both work like a charm (using L7 rules B@AP topology), but Facebook still a mess.

The L7 rules allowing Facebook (default and the custom I've created) seems not to work.

Already tried using the HTTP NAC Portal, but when it jumps to Facebook I got the HSTS problem (when enabling HTTPS redirection) or no access (if I deny HTTPS after allow L7 rules).

The only way I found is to allow all HTTPS, but this is unacceptable for the customer.

Already tried to mess with "Allowed Sites" on NAC, but I had no luck.

I'm running out of ideas (and time)... Anyone have any idea?

Thanks!

-Leo Note: This conversation was created from a reply on: Facebook login on NAC.

jerrygen · 3 weeks ago

Hi Leo,

I get where you’re stuck. Facebook login is always a bit trickier with NAC compared to Google or Microsoft because of the strict HSTS enforcement. The redirect loop usually happens because the NAC portal can’t properly handle the HTTPS handshake before Facebook forces secure connections. That’s why you’re only seeing success when you allow all HTTPS traffic.

A cleaner way is to explicitly whitelist the domains that Facebook needs for authentication. Instead of just facebook.com, you’ll need to add a handful of supporting domains like fbcdn.net, akamaihd.net, facebook.net, and sometimes messenger.com into the NAC “Allowed Sites” list. This ensures the login page and supporting scripts can load without you having to open HTTPS globally. Also, double-check that your L7 rule isn’t getting bypassed by DNS resolution quirks—sometimes pushing a manual DNS override for Facebook helps stabilize access.

Another option is to switch your NAC portal to use full HTTPS instead of HTTP+redirect. You’ll need a proper SSL cert trusted by browsers to avoid HSTS blocks. That way the initial handshake is already secure, and Facebook won’t complain when the login page tries to load.

Think of it like Snapchat filters on https://snapplanetshub.com/ you don’t just unlock one effect, you have to load all the hidden assets in the background to make it work. Facebook login is similar: unless NAC knows all the “extra filters” (domains and scripts) that Facebook depends on, the experience breaks halfway. Unlock all those, and the customer’s login flow should snap right into place.

Regards

LeoP1 · ‎02-16-2018

Hi Ronald,

I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.

I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.

Best regards,

-Leo

Gareth_Mitchell · ‎02-16-2018

Hi Leonardo

I think it would be best if you open a case with GTAC, could you please take a packet capture on the client so we can take a look at the HTTP traffic?

-Gareth

LeoP1 · ‎02-16-2018

Sure!

Follows some screenshots. The Auth role works fine.

Please, forgive some additional L7 hostname rules I added just to try to make it work (after some sniffing), but without success.

Best regards,
-Leo

Extreme Networks

Using Facebook for NAC Login

Using Facebook for NAC Login