SuMMARY
ClearPass 6.4 includes GA support for Social Logins, which allows guests to log into the captive portal with their existing 3rd party credentials such as Facebook and Google+ logins. Guests will be presented with a regular login or registration page on ClearPass Guest. The page will include links to the social providers you have enabled in ClearPass Guest (CPG). When the guest clicks on a provider such as Facebook, they will be redirected to that provider and asked for their Facebook credentials. Upon entering their credentials, and, depending on the provider, approved the details we are requesting, they will be redirected back to the CPG page. CPG performs a sanity check and will then log on the guest.
Functionally, when the guest is redirected back and a successful check is made, CPG creates an Endpoint with a number of special attributes. A 'social' service is required within Policy Manager to allow the login to occur, which is what this solution will build.
This solution will create the configuration for a Aruba Mobility Controller and will generate the importable files for ClearPass Policy Manager and ClearPass Guest. The solution currently supports configuring Facebook and Google+ as the social authentication providers. Instructions are provided for the necessary configuration on the provider end. Although only Facebook and Google+ are used in this solution, ClearPass can integrate with many other social providers including Twitter, LinkedIn, and Yahoo. More information about other providers is available at Arubapedia: How-To:Clear Pass Guest Social Logins.
View Solution in ASE: ClearPass Guest Social Logins
Configuration Notes
The AOS controller configuration generated only includes the relevant profiles and Access Control List (ACL) for creating the wireless network and to redirect users to the captive portal. All RF optimizations and best practice options for new SSIDs are not implemented in this solution. You are welcome to modify the solution and add these options into the configuration.
This solution will configure the following components on ClearPass Policy Manager after importing the generated file:
On ClearPass Guest, the Web Login with the selected Social Login providers will be created after importing the generated file:
This Web Login page configured will offer the guest multiple forms of authentication. The guest will be able to submit his/her existing ClearPass Guest credentials or he/she will be able to select one of the social login providers that have been configured.
Social Logins Configuration
Each social provider needs to be set up for ClearPass to perform the social login. Generally, this involves creating an "application" on the provider side and enabling authentication for that app. The provider will then issue an a Client ID and a Client Secret, which this solution will require you to enter. Below are the instructions for setting up an app on Facebook and Google+. Text highlighted in gray are dynamically updated as you complete the solution. Before folloing the below instructions, it is recommended to first go through the entire solution except for the Social Logins tab. By doing this, the instructions below will be updated with the information you entered in the solution.
Facebook
1. Login to Facebook developer console at https://developers.facebook.com/
2. Click on "Apps" and select "Add a New App"
3. Click on "advanced setup"
4. Enter the name of your application, select "Apps for pages" in the Category drop-down menu and click on "Create App ID"
5. You may be prompted to submit a captcha security check.
6. You will be redirected to the following Application Dashboard. Now, click on "Settings"
7. Enter the "App Domains" and "Contact Email"
8. Now click on "Add Platform" and click on "Website"
9. Enter the "Site URL" and "Mobile Site URL". These MUST match the login URL of the captive portal page that is configured in the Aruba Mobility Controller, (%login_url%). You MUST use the domain name and not the IP address in the URL configuration. To do this, set up the DNS server to map the CPPM IP address to a Fully Qualified Domain Name (FQDN). Click "Save Changes"
ASE Captive Portal Configuration
10. Copy and paste the "App ID" and "App Secret" to the "Facebook Client ID" and Facebook Client Secret" fields in ASE.
Google Apps
1. Login to the Google Developer console at https://code.google.com/apis/console
2. Create a project if you haven't already done so.
3. Navigate to the Consent Screen and provide your organization's "Email Address" and "Product Name" at a minimum.
4. Click on "APIs" and turn the "Admin SDK" and "Google+ API" to "ON".
5. Click on "Credentials" and "Create new Client ID"
6. Leave the application type to the default "Web application". On the "Authorized Javascript Origins", enter the base URL with FQDN of the ClearPass instance that will be hosting the captive portal, https://(%hostname%)/. On the "Authorized Redirect URI" text box,
- Enter the login URL for the captive portal page defined in ASE: (%login_url%)
- Enter the following URI: https://(%hostname%)/guest/social_provider_edit.php
ASE configuration screen
7. Copy and paste the "CLIENT ID" and "CLIENT SECRET" to the "Google Client ID" and Google Client Secret" fields in ASE.
Platforms Tested
Aruba Mobility Controller 7210 running AOS 6.4.0.3 build 43121
ClearPass Policy Manager 6.4.0.66263
Licensing
Access Point and PEF Licenses.
References
[1] Arubapedia: How-To:Clear Pass Guest Social Logins