This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Using Facebook for NAC Login
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Using Facebook for NAC Login
Using Facebook for NAC Login
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-14-2018 09:04 PM
Hi Guys,
Resuming this conversation, I'm still in trouble..
I have a customer willing to enable social media authentication with NAC (ExtremeWireless 10.41.02.0014 and NAC 8.1.1.4). His TOP priority is to enable Facebook login.
I've already configured Google and Microsoft logins and both work like a charm (using L7 rules B@AP topology), but Facebook still a mess.
The L7 rules allowing Facebook (default and the custom I've created) seems not to work.
Already tried using the HTTP NAC Portal, but when it jumps to Facebook I got the HSTS problem (when enabling HTTPS redirection) or no access (if I deny HTTPS after allow L7 rules).
The only way I found is to allow all HTTPS, but this is unacceptable for the customer.
Already tried to mess with "Allowed Sites" on NAC, but I had no luck.
I'm running out of ideas (and time)... Anyone have any idea?
Thanks!
-Leo Note: This conversation was created from a reply on: Facebook login on NAC.
Resuming this conversation, I'm still in trouble..
I have a customer willing to enable social media authentication with NAC (ExtremeWireless 10.41.02.0014 and NAC 8.1.1.4). His TOP priority is to enable Facebook login.
I've already configured Google and Microsoft logins and both work like a charm (using L7 rules B@AP topology), but Facebook still a mess.
The L7 rules allowing Facebook (default and the custom I've created) seems not to work.
Already tried using the HTTP NAC Portal, but when it jumps to Facebook I got the HSTS problem (when enabling HTTPS redirection) or no access (if I deny HTTPS after allow L7 rules).
The only way I found is to allow all HTTPS, but this is unacceptable for the customer.
Already tried to mess with "Allowed Sites" on NAC, but I had no luck.
I'm running out of ideas (and time)... Anyone have any idea?
Thanks!
-Leo Note: This conversation was created from a reply on: Facebook login on NAC.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
Friday
The issue with enabling Facebook login on ExtremeWireless NAC is primarily related to HTTPS and HSTS enforcement, which makes it different from Google or Microsoft logins. Facebook enforces strict HTTPS with HSTS, so any attempt to intercept or redirect traffic at Layer 7 (L7 rules) without proper certificate handling will fail. When you enable HTTPS redirection on the NAC portal, the HSTS policy prevents the browser from accepting the NAC’s certificate, causing login failures, and if you disable HTTPS enforcement, the portal cannot communicate securely with Facebook, resulting in no access.
Unlike Google or Microsoft, Facebook does not allow man-in-the-middle inspection without proper SSL termination, so L7 rules alone aren’t sufficient. The recommended approach is to either use NAC’s built-in social media authentication module specifically designed for Facebook (which handles OAuth and HTTPS properly) or configure SSL bridging with trusted certificates to allow secure Facebook login without opening full HTTPS access to all sites. Without one of these approaches, restricting access while supporting Facebook login is extremely difficult due to HSTS and HTTPS enforcement.
Additionally, when considering social media logins like Facebook, it’s useful to keep in mind how other apps handle connections, such as Snapchat with its Snapchat Planet feature. Just like Facebook, Snapchat relies on secure connections and multiple backend services to provide real-time features and location-based interactions. Any NAC configuration that attempts to restrict HTTPS or filter traffic too aggressively can interfere with these kinds of features, so planning social media authentication requires understanding that apps like Snapchat Planet or any feature that relies on multiple endpoints and secure connections—may behave similarly under strict network policies. This highlights the importance of using proper authentication modules or SSL handling rather than broad allow-all rules.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
08-23-2025 09:39 PM - edited 08-25-2025 03:20 AM
Hi Leo,
I get where you’re stuck. Facebook login is always a bit trickier with NAC compared to Google or Microsoft because of the strict HSTS enforcement. The redirect loop usually happens because the NAC portal can’t properly handle the HTTPS handshake before Facebook forces secure connections. That’s why you’re only seeing success when you allow all HTTPS traffic.
A cleaner way is to explicitly whitelist the domains that Facebook needs for authentication. Instead of just facebook.com, you’ll need to add a handful of supporting domains like fbcdn.net, akamaihd.net, facebook.net, and sometimes messenger.com into the NAC “Allowed Sites” list. This ensures the login page and supporting scripts can load without you having to open HTTPS globally. Also, double-check that your L7 rule isn’t getting bypassed by DNS resolution quirks—sometimes pushing a manual DNS override for Facebook helps stabilize access.
Another option is to switch your NAC portal to use full HTTPS instead of HTTP+redirect. You’ll need a proper SSL cert trusted by browsers to avoid HSTS blocks. That way the initial handshake is already secure, and Facebook won’t complain when the login page tries to load.
Think of it like Snapchat filters on https://snapplanetshub.com/ you don’t just unlock one effect, you have to load all the hidden assets in the background to make it work. Facebook login is similar: unless NAC knows all the “extra filters” (domains and scripts) that Facebook depends on, the experience breaks halfway. Unlock all those, and the customer’s login flow should snap right into place.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-16-2018 07:30 PM
Hi Ronald,
I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.
I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.
Best regards,
-Leo
I completely agree with you... It's an IdentiFi issue and not EMC/NAC problem.
I'm testing with a B@AP tagged topology (upgraded to the latest version today just to make sure) and 3805i and 3825i APs.
Best regards,
-Leo
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-16-2018 07:30 PM
Hi Leonardo
I think it would be best if you open a case with GTAC, could you please take a packet capture on the client so we can take a look at the HTTP traffic?
-Gareth
I think it would be best if you open a case with GTAC, could you please take a packet capture on the client so we can take a look at the HTTP traffic?
-Gareth
