Security

I was wondering if i need to do this in order to make social media login works

For example right now im using something like

clearpass.domain.com  this is pointed to a public ip address which is the clearpass

I put that url on the website on social media app developer configuration.

And i also put that url on the url of the controller to point the clearpass..

It works perfectly that way.   I remenber i tried doing it without doing that with azure an didnt work...  I was wondering if maybe i did misconfig something and is really not needed...

Even on the example i have seen on arubanetworks airheads on this they seems that they make public the clearpass but with a name.

 

Cheers

Carlos

 

No, your server does not have to be public facing.

Tim 

On facebook URL where i put the URL of the clearpass

What should i put then?

 

Right now i got something like https://clearpass.domain.com/guest/facebook.php

 

Can i use  something like

https://172.16.3.225/guest/facebook.php

 

Or in what way should i put the url there? so it can work properly

 

Cheers

Carlos

You should not be using IP address for anything. Whichever FQDN your clients access ClearPass, should be configured in the cloud providers.

So i just put a fqdn of clearpass even if it point to a private ip and its okay?

Yes. As long as the client browser can resolve it, you're all set.

Hello Tim i just tried this today again.

It wasnt working before when i tried because the name of the server i had was something like alt_clearpass.domain.local

When you configure that on facebook app you can put it, it accept it but i see that it tells you that is an invalid domain( i think that i didnt see that before) and it wont work... so i took the underscore out, and now it look it as a valid domain and now it works...

so changing it to clearpass.domain.local made it work.

 

So i guess that when i did the first time it didnt work cause of that and i though in that time that you needed a public domain

 

Thank you Tim!!

 

Cheers

Carlos

It looks like Google will not accept a .local domain.

 

im just configuring this for a demo, and im stuck in the same thing..

Google wont accept .local...

Also, Google requires verification..

I have used DNS trickery with the hosts file to get past the URL check. However, how are you supposed to verify that. Seems you can't setup a google POC.

You ALWAYS need a public CA-signed cert for guest workflows.

I'm not sure I follow. How are you supposed to verify the domain with Google (not gsuite) if the domain is internal? (.local, .dev, etc)

I setup a host clearpass.home.com in my host file so it would pass the google url check for redirection uri.

You need a publicly registered domain and a public CA-signed cert.

So, no internal domains that are not registered / verifiable. . must be .com/.org (for Google at least)

So, I acquire a cert for clearpass.mydomain.com  I just use my internal DNS servers to resolve clearpass.mydomain.com to an internal IP. . is that the idea?

Yes.

You're great, Tim. I've made some progress as far as the domain cert thing. Now, i'm getting a different cert problem with it tries to hit accounts.google.com. I'm not sure where to put an additional(??) certificate.

FYI. I was in all your sessions at ATM18. . great stuff. 

I think I found the answer. . I have to buy another Cert for the controllers. . .

Hello Tim

I made it work but it seems its letting me authenticate even with my personal gmail account... and i just want that users with the school domain can.

I bealive i can work on a enforment profile to not let this happen... but is there a way to do it without doing that?

 

I bealive that in office 365 you dont even need to do that  as you using the active directory  of azure... i mean if you not there then you wont hafve access, but it doesnt seems to be the same thing on google....