Wireless Access

Reply
Highlighted
Contributor II

Social Authentication Policy in Captive Role

I am trying to setup guest access via Cloudpath social authentication and the captive policy on our controllers is blocking access to the various social authentication API sites (e.g. Google, Facebook & LinkedIn). It would be a shame to need to allow complete access to those three domains in order to get social authentication working. Is there a more streamlined list of URLs to allow social authentication from a captive role?


Accepted Solutions
Highlighted
Contributor II

Re: Social Authentication Policy in Captive Role

After extensive work with TAC, we determined LinkedIn and Facebook social auth required further domains in the whitelist in order to work properly. Once the below domains were added things worked as expected.

 

Facebook.com
====================================================
     *.facebook.com
     *.facebook.net
     *.fbcdn.net
     *.fbsbx.com
     *.akamaihd.net
     *.akamaiedge.net
     *.doubleclick.net
     *.google.com
     *.google.com.br (for Brazil deployments)
     *.accountkit.com
     *atdmt.com
     googleads.g.doubleclick.net

LinkedIn
=====================================================
     *.licdn.com
     *.linkedin.com
     *.akamaiedge.net
     *.akamaihd.net
     slicdn.com
     *.recaptcha.net
     *.google.com
     *.gstatic.com

View solution in original post


All Replies
Highlighted
Moderator

Re: Social Authentication Policy in Captive Role

https://github.com/aruba/clearpass-cloud-service-whitelists



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Social Authentication Policy in Captive Role

Thank you! Is recommended practice to create a new policy for each authenticator in our captive role?

Highlighted
Moderator

Re: Social Authentication Policy in Captive Role

You just add the netdestination to the captive portal profile in the whitelist.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Social Authentication Policy in Captive Role

We're not using the captive portal on the controller. Rather, we're redirecting to our Cloudpath installation, so we added the rules as firewall entries for the guest-logon profile, but we're still unable to access Facebook. The netdestination looks correct based on the github information, but when accessing the Facebook authentication page, Firefox throws an error saying it cannot access the site as the certificate is presented for securelogin.arubanetworks.com.

Highlighted
Contributor II

Re: Social Authentication Policy in Captive Role

Bumping this thread - we've worked with local engineers and have an open TAC case, and still we're unable to allow access to LinkedIn & Facebook from a captive profile. We created a policy that allows all social authentication sites and set that policy in a high position in the affected roles and still no improvement.

Highlighted
Contributor II

Re: Social Authentication Policy in Captive Role

After extensive work with TAC, we determined LinkedIn and Facebook social auth required further domains in the whitelist in order to work properly. Once the below domains were added things worked as expected.

 

Facebook.com
====================================================
     *.facebook.com
     *.facebook.net
     *.fbcdn.net
     *.fbsbx.com
     *.akamaihd.net
     *.akamaiedge.net
     *.doubleclick.net
     *.google.com
     *.google.com.br (for Brazil deployments)
     *.accountkit.com
     *atdmt.com
     googleads.g.doubleclick.net

LinkedIn
=====================================================
     *.licdn.com
     *.linkedin.com
     *.akamaiedge.net
     *.akamaihd.net
     slicdn.com
     *.recaptcha.net
     *.google.com
     *.gstatic.com

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: