External Portal Server + social media?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

External Portal Server + social media?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
External Portal Server + social media?
External Portal Server + social media?
2017-05-19 20:01:31
Model :

Hardware Version :

Firmware Version :

ISP :

I am using "External Portal Server" in EAP110. But my clients can also log in to my custom page using social media like google or facebook. How can I allow my login page to access other domains, sites without requiring authentication, or to let my page be able to access facebook, google? Do I need to configure my EAP Controller?
  0      
  0      
#1
Options
12 Reply
Re:External Portal Server + social media?
2017-05-19 20:09:40
You need to open the EAPs for client access to those auth services, for example with a free authentication policy in EAC. But it's no ideal solution: if IPs change, you have to change the ACL rules, too. There is no reliable way to set up such an authentication scheme.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#2
Options
Re:External Portal Server + social media?
2017-05-24 19:22:36
Same problem here, this should be possible with dnsmasq & ipset, but this isn't available on the eap's
Let's hope they implement it on a new release
  0  
  0  
#3
Options
Re:External Portal Server + social media?
2017-05-25 09:00:27
dnsmasq won't help at all and ipset isn't needed to set rules for allowing access to certain IP addresses. But there are other problems such as distinguishing between authentication and normal traffic, both being HTTPS. AFAIK, FB provides a proprietary solution with Meraki and Cisco to sell FB-enabled WiFi hotspots.

But who uses FB anyway in those times? The youngsters did leave it long time ago, when their Moms and Dads started to send them friend requests. ;)
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#4
Options
Re:External Portal Server + social media?
2017-05-26 15:54:58
Hi R1D2,

With an external portal this should be possible if you could use dnsmasq in the free auth policy
When you allow traffic to your portal & facebook.com,fbcdn.net,akamaihd.net a guest can authenticate trough facebook, only problem now is that free auth policy only allows a limited number of (ip) rules
Normal (pre authenticated) traffic to these domains will pass but the guest will still be redirected to your portal for all other traffic.

Grtz,
E-raser
  0  
  0  
#5
Options
Re:External Portal Server + social media?
2017-05-27 07:11:22
Yes, I know. You have to white-list facebook.com, facebook.net, fbcdn.net, licdn.net, licdn.com, akamaihd.net, akamai.net, akamaiedge.net and cloudfront.com. If you do this by IP rules, then good luck for keeping the list of regional data centers of the CDNs up-to-date on your installed hotspot base. It creates dependencies not under your control and therefore will be unreliable, even if it works at a given time. IMHO not a good idea, but YMMV. :)
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#6
Options
Re:External Portal Server + social media?
2017-05-27 19:18:44
Ok but this is just the point
With use of ipset & dnsmasq you don't have to edit the ip's all the time
I have this system running for a few years now on an old linksys router with openwrt on it.
The hotspot portal is based on https://github.com/mhaas/fbwlan ; check the part "Allowing Access to Facebook"
  0  
  0  
#7
Options
Re:External Portal Server + social media?
2017-05-27 22:37:04
Hey buddies,I tried let the IPs fields blank in free authentication policy and the eap controller saved with success. That means any site is now allowed?
  0  
  0  
#8
Options
Re:External Portal Server + social media?
2017-05-28 00:34:43
yep, every site is allowed, I tested this also but I don't get redirected to the portal page if all ip's are allowed
  0  
  0  
#9
Options
Re:External Portal Server + social media?
2017-05-28 03:21:49

E-raser wrote

Ok but this is just the point
With use of ipset & dnsmasq you don't have to edit the ip's all the time


I see. They are intercepting DNS lookups and setting firewall rules. Yes, if you intercept at that level, white-listing of FB can work. But since EAPs don't offer DNS services itself (EAPs are Thin APs, not routers!) I see no way to do DNS interception on an EAP. You have to do it in the router, but then you would need to implement the Captive Portal on the router, too. This will make EAPs standard APs then, they are no Thin APs anymore if used with a CP running on a router.
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#10
Options
Re:External Portal Server + social media?
2017-05-28 03:28:02

E-raser wrote

yep, every site is allowed, I tested this also but I don't get redirected to the portal page if all ip's are allowed


That's because the firewall rule redirecting HTTP requests to the portal page comes after the free authentication rule in EAP. Any Captive Portal using HTTP redirection needs to have almost all IPs blocked in order to be able to intercept HTTP traffic to any website (except a few you grant free access to).
༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#11
Options