Security

Hi,

 

We have a back end RADIUS service that allows us to either authenticate our users against an AD server or proxy visiting eduroam users off to their home site for authentication.

 

I've just been asked if it might be possible to allow users to connect to a local SSID  and authenticate using either their Facebook, LinkedIn or even Google credentials. 

 

Anyone done this sort of thing? Is there an API that you could use to link into an external auth service for above systems or do you somehow point to a captive portal login/auth page?

 

Rgds

Alex

 

I believe there is an open feature requests for this type of functionality in ClearPass Guest.

 

We are greatly looking forward to that type of functionality for our guests.

We are developing something internally to authenticate with Facebook and Google+ but you would need to speak to an external API to accomplish this.

 

Here is some information from facebook on this topic to start your off.

https://developers.facebook.com/docs/reference/login/

https://developers.facebook.com/docs/facebook-login/login-flow-for-web-no-jssdk/

https://developers.facebook.com/docs/dialogs/

https://developers.facebook.com/docs/reference/api/user/#posts

 

 

This is something that we have been testing and if you would like to test this just send me a private message and I can see if I can get you a beta code. 

 

Just remember that this is a non TAC supported feature so they will not be able to help if you have issues.

Hi Troy,

Soulds like something I'd like to have a look at. How do I contact you off line?

A

I'd very interested in getting that information as well. Clearpass is something we now providing and this will definitely help our service offering in conjunction with our own developped solutions.

 

Is it ok Troy for you to pass this along to me as well?

I sent you a Private message

Troy,

I would interested in this as well.  Thanks in advance.

Could I also get this information?  Many thanks.  I am especially interested in the Linkedin use cases.

im also interested, can you please send me the email. thank you in advance

Would appreciate a copy of this information as well..

 

PM me if you'd like...

 

Thanks.

I would like to kindly ask about that as well :)

Can you guys send me a Private Message with your email address and I will send you the information.

A quick update. This will be included in 6.3.1

Hi

 

Any update regarding this new feature to be able to log in with Facebook or Google+ accounts?

I have read the release notes for 6.3.1 and 6.3.2 but can't find any information about this.

 

Regards

Jonas

I am evaluating clearpass and have 6.3.3 loaded, but cannot find anything that references external entities as an authentication source like the posts lists.

 

Has this been implemented or is this still in "development"?

Still in development.

Thanks... much appreciated for the prompt reply.  Is there a timeframe when such service will / would be available?

It is currently in Alpha at a few customer locations. I will send out a notifiction when it is going to full production. I have no current commit date as of today. 

Ok.. once again much appreciated.. We will move forward with an e-mail validation process for guest access in the interim

is there any details about that?

it's possibile to "force" guest to put "i like" in facebook wisp page before getting access?

Spoiler alert! !!! :)

@andrea.consadori wrote:

is there any details about that?

it's possibile to "force" guest to put "i like" in facebook wisp page before getting access?

Andrea,

-----------------------------------------------------------------------------------------------------------------------------------------------

 

I’m confused on your first question.

 

As for your second question. You will be able to have a page with the login with Facebook page, and then you will be able to have VIP access. Their might be a way to force a user to like your page but you would need to do some creative services. It will not be a native function but would be a nice feature request. 

 

Below is a screen shot of an example page. 

 

A sample scenario: A guest user logins in with the LinkedIn button. The user likes company A on LinkedIn and you will be able to see their like status in a return attribute from LinkedIn and you grant them a better QOS/Bandwidth compared to a user that does not like company A on LinkedIn. 

 

 

 

How close is this to being available to Prime Time?

I know its active in 6.4. I will have to see if it will be in 6.3.5.

Thanks for the update... I guess 6.4 is only available to the beta group for now, as I do not see it for download yet. 

 

Hi,

 

Can I have the information too? I am trying out facebook integration with Clearpass.

 

Thank you.

Hi All,

 

Any solution for now? Anyone can share some info?

 

Thank you!

6.4 is around the corner and as of today there is an old way of doing it by adding a few files to CPPM. I can send you the files but they are not supported by TAC, there is only basic setup and it is very challenging to setup. 

 

My recomendation is to wait until the full release is availible. Im sure you can understand that we would like to make sure we do a full test and work through any issues before it goes out to production. :)

 

We are not only giving you a Facebook login, but also Linkedin, Google, twitter to name a few. As of today there is over 20 different social logins you will be able to use.

 

 

 

Thanks bro! You are the best!

That's awesome... it will add additional options to the validated e-mail / sms options already configured.

 

 

Thanks

6.4 was released a few hours ago. 

 

Have fun :)

 

Awesome! Thanks for the update.

Is there any guide for this feature? 

br, 

Marek 

There will be a arubapedia page out soon and a guide to follow.

Where can I download the 6.4 version? I am using a IAP 105 for my dental office.Thanks!

Easiest way is to check under Software Updates on your ClearPass server.


You can also use the upgrade image:
http://support.arubanetworks.com/DownloadSoftware/tabid/75/DMXModule/510/Command/Core_Download/Default.aspx?EntryId=14784

I don't have ClearPass, just use a stand alone IAP 105 for the office, would love to be able to use the FaceBook Check-in option for patients to give them wifi access.

This is a ClearPass feature. You need ClearPass.

Hi, 

You can always try 90 days eval 

http://clearpass.arubanetworks.com/webservice/eval_request.php

br,

M

 

You to work with an Aruba rep or partner to get an eval.

of course it would be nice to have it, but clearpass for one IAP105 at one dental office might be a little extreme. anyone heard of companies offering clearpass as a saas?

For now, I have installed a Netgear AP with FaceBook wifi, there are few other routers out there, will see how it works.

In the upcoming release 4.1.1 for the IAP, the facebook WiFi feature is also built-in, you don't need any external devices or services.

Thank you Yan Liu!! Would you know when it will be released?

 

It should be in the next 2-4 weeks.

Yan Liu, do we need IAP 4.1.1 for normal social media login to work also? I'm trying to implement facebook login using IAP with 6.4.0.3-4.1.0.2_45704, but for now no luck.

I get a "required field unavailable" when I click the Facebook login button after redirection.

 

And Troy - as far as I can tell there is still no arubapedia documentation accessible for partners yet regarding the Social Media Logins implementation using CP 6.4.x. There are however some excellent videoes that explains it all using 6.3.1 and .4, so I'm slowly piecing it together.

 

Gonna try this using a Controller based demo and see if I might have better luck.

Ok, so the reason I'm getting the errormessage was due to the missing mac adress in the mac field. When I put that in the URL I was able to get facebook login. Still no idea how to automagically get that done tho..

Are you just checking the page during testing or are you actually associating? Usually you'll get that error during testing because the full redirect URL isn't present.

Yea I'm familiar with that, but using a normal guest account works fine on the same redirect so I'm assuming the url is correct. It's masked in the safari browser so I dont see what it is before I click the fb login btn. I'll try using a laptop tomorrow to check the url and html source..

Ok - in short...

This tested using CP 6.4.x and IAP 6.4.0.3-4.1.0.2_45704.

 

- You NEED to use https

  * Without https you just get "missing parameter" when clicking the "Login with Facebook" button.

 

- You need to redirect to a valid FQDN

   * This FQDN and the entire loginpage URL has to be connected to your facebook App..

 

 

- Walled Garden on Instant doesn't seem to be working like whitelisting on Controller. So you need to add the necessary facebook URL's to your logon role. https to facebook.com and akamaihd.net should cover all bases.

 

 

One snag I found just immediately - tt seems like the email fetched from facebook doesn't overwrite an existing username on the Endpoint if another exist. I would assume that it should've overwritten with the latest username I logged in with - bug?

Is there a guide somewhere to implement this ?

I am not sure about what I need to do on the Facebook side and I don't know if check the "social login" when creating the page is enough on the ClearPass Guest side.

 

Thanks.

 

EDIT : Found out about Social Media Tips from tarnold. I now have my facebook app created, and the button is on the login page. When I click on it, I can reach the facebook page asking if you want to connect, but when I click OK nothing happens and I'm getting redirected to the captive portal. Any Idea ?

 

- nice2k.

Are you showing up in Access Tracker after you login with facebook? If so make sure your hitting the correct service and your sending back an enforcement profile to the controller that puts you in a post-auth role.

Hi,

Yup got it working o.k. now. I'm hitting a service I set up for social logins and  have applied an enforcement profile specific to facebook,twitter etc

 

Rgds

Alex

 

I have social login working for LinkedIn and Facebook just fine. I'm trying to get Google working but keep having issues with the redirect_uri parameter. I get the error message that local URIs not allowed.

 

Does anyone have any tips for using Google's OAuth API and what the correct settings are?

Hello Josh

 

In your google project and credentials - did you change the values under Authorized Redirect URI? That have be real FQDN's for your Clearpass. Can't use uri's like http://192.168.10.10 which is a common scenario for lab. As a workaround for lab try this:

 

If you're on a Windows client testing this:

Edit your c:\Windows\System32\drivers\etc\hosts file

Add the local IP of your CP and some valid domain name - like this:

192.168.10.10   myclearpass.yourfakedomain.com

 

For Mac it's \private\etc\hosts

 

Note! The domain just have to be resolvable for you - not for google. Of course - in a production scenario you will need a valid FQDN that your guests resolve when accessing Clearpass.

 

Update your Google project with the complete URI under Credentials -> Authorized Redirect URI ie: http://myclearpass.yourfakedomain.com/your-loginpage-name.php

 

Also make sure that your Controller now also redirects to the new URI for your guest social login testing :)

 

Thats it!

John - thanks for the help. That was the missing piece I think. 

 

Now I get prompted to allow Google access to my data, but the Accept button remains greyed out. I'm wondering do I need to allow more than below in my captive portal whitelist?

 

accounts.google.com

www.googleapis.com

 

Here are the screen caps of my URI redirect and the permission page I'm seeing. 

 

 

 

 

Thanks again for the help. 

Hmm. It seems like you don't have enough access to see all the styling.

 

Try to whitelist these two:

 

• googleusercontent.com
• googleapis.com

 

added. Still getting the same results. 

Ok..

 

Well - no way around it. Same as we did for facebook and linkedin tehn:

 

google.com

google.co.uk

googleusercontent.com

googleapis.com

gstatic.com

google-analytics.com

 

 

ok that fixed the form and the permission page displays correctly and the Accept button is greyed out for a few seconds and then become "clickable."

 

Once I grant permission I get redirected back to the cppm.demo.com/demo_reg_social_login.php and am not logged in. If I try clicking my Google login it doesn't prompt any more (still logged into my google acct on the browser) but keeps redirecting back to the network login page for guest. 

 

Nothing is showing up in Access Tracker beside the initial MAC auth attempt. 

Hi there,

 

try adding https://<domain>/guest/<your login page>.php

 

inside the Redirect URIs. Hope my answer relevant.

 

Thanks.

Hello,

 

On your Google developer console, did you add the "Admin SDK" and "Google+ API" in Enabled APIs ?

 

Please compare your configuration to the one on the ASE doc :

 

https://ase.arubanetworks.com/solution/id/81

 

- nice2k

yes, of course I added those two

Sorry, I was asking to jclingan.

I didn't have the Admin access set in google so I'll need to do that. I wasn't aware of the ASE solution and my account on arubapedia doesn't have access to the how to page (getting that corrected).

 

Thanks for the help everyone - I'll follow the ASE and hopefully should be good to go. 

we can do clearpass as a service if you are interested.

Do you have instructions for configuring this one?

Haven't heard of ClearPass SaaS, but Cloudessa can be used in conjunction with Captive Portal to provide some social networking account authentication capabilities.