Clearpass Social Login - october-mhc

Hi gang!


(first post dissapeared so I'm trying to post this one more time..)

This isn't a complete step-by-step tutorial as it expects you to know your way around the Aruba WLC and Clearpass configuration elements. Some snippets of this I got from our awsome community, but key elements was still missing and took some hours in the lab to work out. As we gain more experience with this authentication I will add more to this tutorial.



You will need Clearpass 6.4.x as that is where the "true" social-login support started. It's possible to do with some 6.3.x version, but I wouldn't recommend it as I believe that was mostly for Aruba internal testing/showcasing.



When it comes to using Facebook as authentication you will need access to a facebook account. With this account you first register as a developer (free and open for all) using this URL: This is the account you will be creating your authentication app with.


During your testing the authentication APP you create will not be LIVE. Only the facebook account you use for creating the App and the people you invite will be able to suceesfully authenticate using this Facebook social-login. The facebook users you invite will receive a message with the invite. They will first have to register as devolopers before being able to accept the invitation.


Note! I haven't actually gotten past the Developer status of my facebook Auth App, but will update once I figure out how thats accomplished. For instanse - making it necessary to Like a certain page is something I'm definately looking into, but havent found out how is done yet.


Clearpass, IP or FQDN

It seems that you can not be using an IP address in your redirect as this returns an error message from Facebook during the auth process. That means you will have to create a DNS entry that is resolvable for your guests.


Whitelisting social websites

For this to work you will have to accept that un-authenticated users will be able to surf on Facebook. There is no way around that, so if thats against your policy then this is a no go for you. This is not only for facebook, but for all forms of social login


The setup

On Controller

If you have a usable ClearPass guest SSID already then you can use that. Just add the necessary fw rules to your -logon role.


Create a Open Guest SSID with required aaa, vap, captive portal, ssid etc.

  • Initial role - social-logon (create new)
  • Captive Portal redirect to Clearpass

FW policy for -logon role:

  • logon-control (or your variant of it)
  • social-list-operations:

         -> Permit http/https towards the social media auth servers (see Alias list below) AND the Clearpass server


Aliases for facebook

  • social-facebook (minimum required at this time)
  • (new?!)
  • (new?!)

My suggestions incase this changes in the future:


On Clearpass
If you already have a working login page - just use that and add the snippet below.

  • Create web login with custom login form (this is the one you redirect to)
  • Check for Social Login, and enter the ones you want to be able to login with.

For each social login type you will have to add the AppID and AppSecret. If you have these already then add them - if not come back to this after you've created the App in the Facebook sections below.


In the footer add this snippet





  • See more versions you can use in the "Other things" section below.



Create Auth Source
I'm assuming this will change in a near release so we can just select social-login as type when creating Auth source, but this is it for now.

  • Create a New Auth source with type "Generic SQL"
  • Check use for Authorization

See screenshot for setup (All Social data is stored in the Endpoints database connected to the device so thats why we use it for authentication)





  • Under Attributes create two Filters: Authentication and Social Service Provider



Fidn the SQL to use as input for Filter Query under "Other things" section in this doc.


Create the Service

Use your existing working Guest service or create a new server.

Easiest way is to use the wizard and create a new Guest Access service. The templates "Guest Access" or "Guest access with MAC auth" will get the job done nicely. Or - just .

  • Add the Social Auth source as authentication source to the Guest Access service


  • Optional: add a test and return various roles depending on the social-source. Might make it easier for statistics this way




Now you need to login to and create the App

  • Click Apps - Register new App

Note! (Just refresh site a few times if it still shows Register as developer if you just registered)

  • Click Apps - Register new App (refresh site if it still shows Register as developer)

Apps -> "Your Auth App"

  1. Settings - Basic.
  2. Add the name (FQDN) of your clearpass server under App Domains
  3. Add Platform and select Website
  4. In "Site URL" input the whole URL for your loginpage on Clearpass
  5. Save

Now - note down the App ID and App Secret for this app. You will need this when adding social login to your login page on Clearpass.

Before you go live with the app you will want to go through the App settings - Advanced section to improve security.



Now it's time to test things out. You should already have the SSID running so just load up your favorite device and connect to the SSID. You should now see something similar to this:



Click Facebook and you should be be redirected to Facebook. Depending on your device and facebook integration you will either be asked for Facebook credentials or immediately a prompt that wants you to authorize "your auth app" for access to a few personal details


Things to check when it doesnt work..

  • Make sure you are using a facebook account that have test access to your App.
  • Re-check the inputs you have entered into the FB App
  • Verify that normal guest login works before troubleshooting more
  • Check Access Tracker. Verify that the correct service is triggered.



Other Things...

Auth SQL input
Filter Query - Authentication:

SELECT tag_value AS User_Password FROM tips_endpoint_tag_mappings  JOIN tips_tag_values ON (tips_endpoint_tag_mappings.tag_value_id = WHERE tips_endpoint_tag_mappings.instance_id =      (SELECT id       FROM tips_endpoints      WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}'))          AND tips_tag_values.tag_id =               (SELECT id               FROM tips_tag_definitions               WHERE name = 'social_password'                    AND entity_id =                        (SELECT id                         FROM tips_dic_internal                        WHERE dic_prefix = 'Endpoint'));  


Filter Query - Social Service Provider

SELECT tag_value AS SP FROM tips_endpoint_tag_mappings  JOIN tips_tag_values ON (tips_endpoint_tag_mappings.tag_value_id = WHERE tips_endpoint_tag_mappings.instance_id =      (SELECT id       FROM tips_endpoints      WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}'))          AND tips_tag_values.tag_id =               (SELECT id               FROM tips_tag_definitions               WHERE name = 'social_method'                    AND entity_id =                        (SELECT id                         FROM tips_dic_internal                        WHERE dic_prefix = 'Endpoint'));




The following parameters can be passed:

vertical=1 to display vertical over horizontal.
notext=1 to only display icons.
noicons=1 to only display text.
noself=1 to suppress logic to include self-registration interlinking.
prefix='Login with ' to include a prefix on all the labels.
suffix=' and have fun' to include a suffix at the end of all the labels.
class=YourClass to give the wrapping div a class a specific class.
style='color:blue;' to give the wrapping div specific styles.


{nwa_social_logins vertical=1 noicons=1 prefix='Login with ' suffix=' and get access!'}




Other social aliases


New proposal:






Airheads forums in general and especially tarnold. Search for his "social tips" posts.


John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I

Re: Clearpass Social Login - october-mhc

I am getting error...



Aruba Employee

Re: Clearpass Social Login - october-mhc

@excrucio, 'mac' must have been passed for social to work.  This will occur in almost all redirects but would not really be there when just testing at the admin level.  You are free to append '?mac=YOURMAC' to that login page.

Occasional Contributor I

Re: Clearpass Social Login - october-mhc

Very nice write up on social login configurations.  I've been searching around for some information on adding a mac-caching feature for social logins, so that subsequent logins will be handled by a mac caching service as is easily done via a sponsor approved method.  Have you heard of any way to cache the mac during the social login process?  Maybe via a post-auth enforcement policy?  I'm just starting to tackle this, but looking for input wherever I can...

Guru Elite

Re: Clearpass Social Login - october-mhc

Here's an example that will allow access for one month before requiring another login:


Screenshot (16).png

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: