Hi gang!
(first post dissapeared so I'm trying to post this one more time..)
This isn't a complete step-by-step tutorial as it expects you to know your way around the Aruba WLC and Clearpass configuration elements. Some snippets of this I got from our awsome community, but key elements was still missing and took some hours in the lab to work out. As we gain more experience with this authentication I will add more to this tutorial.
Requirements
You will need Clearpass 6.4.x as that is where the "true" social-login support started. It's possible to do with some 6.3.x version, but I wouldn't recommend it as I believe that was mostly for Aruba internal testing/showcasing.
Facebook
When it comes to using Facebook as authentication you will need access to a facebook account. With this account you first register as a developer (free and open for all) using this URL: https://developers.facebook.com. This is the account you will be creating your authentication app with.
During your testing the authentication APP you create will not be LIVE. Only the facebook account you use for creating the App and the people you invite will be able to suceesfully authenticate using this Facebook social-login. The facebook users you invite will receive a message with the invite. They will first have to register as devolopers before being able to accept the invitation.
Note! I haven't actually gotten past the Developer status of my facebook Auth App, but will update once I figure out how thats accomplished. For instanse - making it necessary to Like a certain page is something I'm definately looking into, but havent found out how is done yet.
Clearpass, IP or FQDN
It seems that you can not be using an IP address in your redirect as this returns an error message from Facebook during the auth process. That means you will have to create a DNS entry that is resolvable for your guests.
Whitelisting social websites
For this to work you will have to accept that un-authenticated users will be able to surf on Facebook. There is no way around that, so if thats against your policy then this is a no go for you. This is not only for facebook, but for all forms of social login
The setup
On Controller
If you have a usable ClearPass guest SSID already then you can use that. Just add the necessary fw rules to your -logon role.
Create a Open Guest SSID with required aaa, vap, captive portal, ssid etc.
- Initial role - social-logon (create new)
- Captive Portal redirect to Clearpass
FW policy for -logon role:
- logon-control (or your variant of it)
- social-list-operations:
-> Permit http/https towards the social media auth servers (see Alias list below) AND the Clearpass server
Aliases for facebook
- social-facebook (minimum required at this time)
- graph.facebook.com
- api-read.facebook.com
- api-video.facebook.com
- www.facebook.com
- fbstatic-a.akamaihd.net
- fbcdn-profile-a.akamaihd.net (new?!)
- fbexternal-a.akamaihd.net (new?!)
My suggestions incase this changes in the future:
On Clearpass
Guest
If you already have a working login page - just use that and add the snippet below.
- Create web login with custom login form (this is the one you redirect to)
- Check for Social Login, and enter the ones you want to be able to login with.
For each social login type you will have to add the AppID and AppSecret. If you have these already then add them - if not come back to this after you've created the App in the Facebook sections below.
In the footer add this snippet
{nwa_social_logins}
- See more versions you can use in the "Other things" section below.
CPPM
Create Auth Source
I'm assuming this will change in a near release so we can just select social-login as type when creating Auth source, but this is it for now.
- Create a New Auth source with type "Generic SQL"
- Check use for Authorization
See screenshot for setup (All Social data is stored in the Endpoints database connected to the device so thats why we use it for authentication)
- Under Attributes create two Filters: Authentication and Social Service Provider
Fidn the SQL to use as input for Filter Query under "Other things" section in this doc.
Create the Service
Use your existing working Guest service or create a new server.
Easiest way is to use the wizard and create a new Guest Access service. The templates "Guest Access" or "Guest access with MAC auth" will get the job done nicely. Or - just .
- Add the Social Auth source as authentication source to the Guest Access service
- Optional: add a test and return various roles depending on the social-source. Might make it easier for statistics this way
Facebook
Now you need to login to developers.facebook.com and create the App
- Click Apps - Register new App
Note! (Just refresh site a few times if it still shows Register as developer if you just registered)
- Click Apps - Register new App (refresh site if it still shows Register as developer)
Apps -> "Your Auth App"
- Settings - Basic.
- Add the name (FQDN) of your clearpass server under App Domains
- Add Platform and select Website
- In "Site URL" input the whole URL for your loginpage on Clearpass
- Save
Now - note down the App ID and App Secret for this app. You will need this when adding social login to your login page on Clearpass.
Before you go live with the app you will want to go through the App settings - Advanced section to improve security.
Testing
Now it's time to test things out. You should already have the SSID running so just load up your favorite device and connect to the SSID. You should now see something similar to this:
Click Facebook and you should be be redirected to Facebook. Depending on your device and facebook integration you will either be asked for Facebook credentials or immediately a prompt that wants you to authorize "your auth app" for access to a few personal details
Things to check when it doesnt work..
- Make sure you are using a facebook account that have test access to your App.
- Re-check the inputs you have entered into the FB App
- Verify that normal guest login works before troubleshooting more
- Check Access Tracker. Verify that the correct service is triggered.
Other Things...
Auth SQL input
Filter Query - Authentication:
SELECT tag_value AS User_Password FROM tips_endpoint_tag_mappings JOIN tips_tag_values ON (tips_endpoint_tag_mappings.tag_value_id = tips_tag_values.id) WHERE tips_endpoint_tag_mappings.instance_id = (SELECT id FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')) AND tips_tag_values.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'social_password' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'Endpoint'));
Filter Query - Social Service Provider
SELECT tag_value AS SP FROM tips_endpoint_tag_mappings JOIN tips_tag_values ON (tips_endpoint_tag_mappings.tag_value_id = tips_tag_values.id) WHERE tips_endpoint_tag_mappings.instance_id = (SELECT id FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')) AND tips_tag_values.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'social_method' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'Endpoint'));
nwa_social_login
{nwa_social_login}
The following parameters can be passed:
vertical=1 to display vertical over horizontal.
notext=1 to only display icons.
noicons=1 to only display text.
noself=1 to suppress logic to include self-registration interlinking.
prefix='Login with ' to include a prefix on all the labels.
suffix=' and have fun' to include a suffix at the end of all the labels.
class=YourClass to give the wrapping div a class a specific class.
style='color:blue;' to give the wrapping div specific styles. Example:
{nwa_social_logins vertical=1 noicons=1 prefix='Login with ' suffix=' and get access!'}
Other social aliases
Linkedin
New proposal:
Google
- www.google.com
- lh4.googleusercontent.com
- ssl.gstatic.com
- accounts.google.com
References
Airheads forums in general and especially tarnold. Search for his "social tips" posts.
afp.arubanetworks.com