Hi all!
----------------------------------- Fixed by Sean Rynearson
This is the third time I post this message since the two other ones just dissapoeared, so this time I will only tag it with CPPM and add the elements as pdf. So far Sean or any other moderator haven't followed up on the missing posts, so until then - you will only get it as a pdf. *cross fingers* that the ghost in the machine doesn't snag it this time too!!
This isn't a complete step-by-step tutorial as it expects you to know your way around the Aruba WLC and Clearpass configuration elements. Some snippets of this I got from our awsome community, but key elements was still missing and took some hours in the lab to work out. As we gain more experience with this authentication I will add more to this tutorial.
----------------------Fixed by Sean Rynearson,
Hi gang!
This isn't a complete step-by-step tutorial as it expects you to know your way around the Aruba WLC and Clearpass configuration elements. Some snippets of this I got from our awsome community, but key elements was still missing and took some hours in the lab to work out. As we gain more experience with this authentication I will add more to this tutorial.
Requirements
You will need Clearpass 6.4.x as that is where the "true" social-login support started. It's possible to do with some 6.3.x version, but I wouldn't recommend it as I believe that was mostly for Aruba internal testing/showcasing.
Facebook
When it comes to using Facebook as authentication you will need access to a facebook account. With this account you first register as a developer (free and open for all) using this URL: https://developers.facebook.com. This is the account you will be creating your authentication app with.
During your testing the authentication APP you create will not be LIVE. Only the facebook account you use for creating the App and the people you invite will be able to suceesfully authenticate using this Facebook social-login. The facebook users you invite will receive a message with the invite. They will first have to register as devolopers before being able to accept the invitation.
Note! I haven't actually gotten past the Developer status of my facebook Auth App, but will update once I figure out how thats accomplished. For instanse - making it necessary to Like a certain page is something I'm definately looking into, but havent found out how is done yet.
-> Clearpass, IP or FQDN
It seems that you can not be using an IP address in your redirect as this returns an error message from Facebook during the auth process. That means you will have to create a DNS entry that is resolvable for your guests.
-> Whitelisting social websites
For this to work you will have to accept that un-authenticated users will be able to surf on Facebook. There is no way around that, so if thats against your policy then this is a no go for you. This is not only for facebook, but for all forms of social login.
The setup
On Controller
If you have a usable ClearPass guest SSID already then you can use that. Just add the necessary fw rules to your -logon role.
- Create a Open Guest SSID with required aaa, vap, captive portal, ssid etc.
- Initial role - social-logon (create new)
- Captive Portal redirect to Clearpass
- FW policy for -logon role:
- logon-control (or your variant of it)
- social-list-operations
- Http/https towards the social media auth servers (see Alias list below) AND the Clearpass server
Aliases for facebook
social-facebook (minimum required at this time)
- graph.facebook.com
- api-read.facebook.com
- api-video.facebook.com
- www.facebook.com
- fbstatic-a.akamaihd.net
- fbcdn-profile-a.akamaihd.net (new?!)
- fbexternal-a.akamaihd.net (new?!)
My suggestions incase this changes in the future:
- facebook.com
- akamaihd.net
On Clearpass
Guest
If you already have a working login page - just use that and add the snippet below.
- Create web login with custom login form (this is the one you redirect to)
- Check for Social Login, and enter the ones you want to be able to login with.
- For each social login type you will have to add the AppID and AppSecret. If you have these already then add them - if not come back to this after you've created the App in the Facebook sections below.
- In the footer add this snippet {nwa_social_logins}
- Example for customized version: {nwa_social_logins vertical=1 noicons=1 prefix='Login with ' suffix=' and get access!'}
CPPM
Create Auth Source
I'm assuming this will change in a near release so we can just select social-login as type when creating Auth source, but this is it for now.
- Create a New Auth source with type "Generic SQL"
- Check use for Authorization
- See screenshot for setup (All Social data is stored in the Endpoints database connected to the device so thats why we use it for authentication)
- Under Attributes create two Filters: Authentication and Social Service Provider
- Find the input to use for Filter Query under "Things" section
Create Service
- Use the wizard and create a new Guest Access service. The templates "Guest Access" or "Guest access with MAC auth" will get the job done nicely. Or - just use your existing Guest service..
- Add the Social Auth source as authentication source to the Guest Access service
- Optional: add a test and return various roles depending on the social-source. Might make it easier for statistics this way
Facebook
Now you need to complete the App in developers.facebook.com
Click Apps - Register new App
- Note! (Just refresh site a few times if it still shows Register as developer if you just registered)
Then click Apps - Register new App (refresh site if it still shows Register as developer)
Apps -> "Your Auth App"
- Settings - Basic.
- Add the name (FQDN) of your clearpass server under App Domains
- Add Platform and select Website
- In "Site URL" input the whole URL for your loginpage on Clearpass
- Save
Now - note down the App ID and App Secret for this app. You will need this when adding social login to your login page on Clearpass.
Before you go live with the app you will want to go through the App settings - Advanced section to improve security.
Things...
Auth SQL input
Filter Query - Authentication:
SELECT tag_value AS User_Password FROM tips_endpoint_tag_mappings JOIN tips_tag_values ON (tips_endpoint_tag_mappings.tag_value_id = tips_tag_values.id) WHERE tips_endpoint_tag_mappings.instance_id = (SELECT id FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')) AND tips_tag_values.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'social_password' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'Endpoint'));
Filter Query - Social Service Provider
SELECT tag_value AS SP FROM tips_endpoint_tag_mappings JOIN tips_tag_values ON (tips_endpoint_tag_mappings.tag_value_id = tips_tag_values.id) WHERE tips_endpoint_tag_mappings.instance_id = (SELECT id FROM tips_endpoints WHERE mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')) AND tips_tag_values.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'social_method' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'Endpoint'));
{nwa_social_login}
The following parameters can be passed:
- vertical=1 to display vertical over horizontal.
- notext=1 to only display icons.
- noicons=1 to only display text.
- noself=1 to suppress logic to include self-registration interlinking.
- prefix='Login with ' to include a prefix on all the labels.
- suffix=' and have fun' to include a suffix at the end of all the labels.
- class=YourClass to give the wrapping div a class a specific class.
- style='color:blue;' to give the wrapping div specific styles.
Other social aliases
social-linkedin
New proposal:
- Linkedin.com
- Akamaihd.net
google
- www.google.com
- lh4.googleusercontent.com
- ssl.gstatic.com
- accounts.google.com