Security

I had a weird situation today mocking up Social login in CPPM 6.7.9 that I don't remember running into prior. 

Google social login redirects to the accounts page without issue on a Windows laptop. I can login and everything is working fine. However, on my Android device, it will not redirect to the accounts page when I click the Google social login button. It will act like it is going to; then redirect me back to the CP page without an indication as to why. 

In my troubleshooting I found that since my default Android browser is Chrome (Dev), and I have it always logged into my Gmail account to sync data that the Google accounts page was getting confused. I could see the title of the window change to Google before it dumped me back to the CP page.

If I turn off sync (or open incognito mode), then click the Google social login button, the accounts page comes up. 

This is a long-winded way of asking: Is this behavior normal? Has anyone found a workaround so Google gracefully handles this scenario? I can't be the only one that uses Google sync + social login. 

Thanks in advance!

Does Access Tracker show a login attempt?  Do you have any way to see the URL?

I could not see the URL as I was on my phone. . not very suitable for troubleshooting.

However, I do need to test this theory with a laptop signed into Google with Chrome.

To answer your first question: No, I never see an auth attempt in CPPM.

Well I got the URL and I have a real error that wasn't presenting on my phone. I was also able to reproduce this several times.

1. In Chrome, sign into GMAIL.
2. It will sign into Chrome autostupidly.
3. Switch to the Guest network.
4. Click the Social Login button.

I am redirected back to the login page with an OAuth error. I never see the 'accounts' page.

URL (Redacted):

https://guest.internaldomain.com/guest/guestReg_login.php?state=1560462033-a393f6&code=XXXXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXX&scope=email+profile+openid+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile

Error:

it was not possible to open the OAuth access token URL: 110 could not connect to the host "accounts.google.com"

If I sign out of Chrome and use an 'anonymous' session, the accounts page shows up as it should.

accounts.google.com is accessed by both ClearPass and the client.  Exactly where are you seeing the error?  It is pretty self-explanatory but it being dependent on you logged in or not makes no sense.  Nothing would be affecting your DNS?  Is a firewall elsewhere blocking access?

Nothing would be blocking it. If I logout of Chrome sync, the page loads as it should, and I can continue with the social login. (The accounts page loads normally.)

The error is presented at the top of the CP page once I'm redirected back there.

I click the button, it tries to goto the above url, spins for a minute or so, then spits me back out to the CP page with the above error in red text. 

I would be curious if someone else could replicate it, because I can regularly.

So, I found that the FW was blocking the Data port IP and not the VIP. So I relaxed the rule a bit to allow the IP itself to communicate out as well. This resolved the issue.

Seems odd though, that I could get to the accounts page, but not continue. It's like the VIP was making the DNS requests, but the actual HTTPS requests came from the interface IP.

A wise man once said, "It's always the firewall."