Welcome to TP-LINK Tech Support Forum
+ Reply to Thread
Results 1 to 13 of 13
  1. #1

    External Portal Server + social media?

    Model :

    Hardware Version :

    Firmware Version :

    ISP : [/COLOR]

    I am using "External Portal Server" in EAP110. But my clients can also log in to my custom page using social media like google or facebook. How can I allow my login page to access other domains, sites without requiring authentication, or to let my page be able to access facebook, google? Do I need to configure my EAP Controller?

  2. #2
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,009
    You need to open the EAPs for client access to those auth services, for example with a free authentication policy in EAC. But it's no ideal solution: if IPs change, you have to change the ACL rules, too. There is no reliable way to set up such an authentication scheme.

  3. #3
    Same problem here, this should be possible with dnsmasq & ipset, but this isn't available on the eap's
    Let's hope they implement it on a new release

  4. #4
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,009
    dnsmasq won't help at all and ipset isn't needed to set rules for allowing access to certain IP addresses. But there are other problems such as distinguishing between authentication and normal traffic, both being HTTPS. AFAIK, FB provides a proprietary solution with Meraki and Cisco to sell FB-enabled WiFi hotspots.

    But who uses FB anyway in those times? The youngsters did leave it long time ago, when their Moms and Dads started to send them friend requests.

  5. #5
    Hi R1D2,

    With an external portal this should be possible if you could use dnsmasq in the free auth policy
    When you allow traffic to your portal & facebook.com,fbcdn.net,akamaihd.net a guest can authenticate trough facebook, only problem now is that free auth policy only allows a limited number of (ip) rules
    Normal (pre authenticated) traffic to these domains will pass but the guest will still be redirected to your portal for all other traffic.

    Grtz,
    E-raser

  6. #6
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,009
    Yes, I know. You have to white-list facebook.com, facebook.net, fbcdn.net, licdn.net, licdn.com, akamaihd.net, akamai.net, akamaiedge.net and cloudfront.com. If you do this by IP rules, then good luck for keeping the list of regional data centers of the CDNs up-to-date on your installed hotspot base. It creates dependencies not under your control and therefore will be unreliable, even if it works at a given time. IMHO not a good idea, but YMMV.

  7. #7
    Ok but this is just the point
    With use of ipset & dnsmasq you don't have to edit the ip's all the time
    I have this system running for a few years now on an old linksys router with openwrt on it.
    The hotspot portal is based on https://github.com/mhaas/fbwlan ; check the part "Allowing Access to Facebook"

  8. #8
    Hey buddies,I tried let the IPs fields blank in free authentication policy and the eap controller saved with success. That means any site is now allowed?

  9. #9
    yep, every site is allowed, I tested this also but I don't get redirected to the portal page if all ip's are allowed

  10. #10
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,009
    Quote Originally Posted by E-raser View Post
    Ok but this is just the point
    With use of ipset & dnsmasq you don't have to edit the ip's all the time
    I see. They are intercepting DNS lookups and setting firewall rules. Yes, if you intercept at that level, white-listing of FB can work. But since EAPs don't offer DNS services itself (EAPs are Thin APs, not routers!) I see no way to do DNS interception on an EAP. You have to do it in the router, but then you would need to implement the Captive Portal on the router, too. This will make EAPs standard APs then, they are no Thin APs anymore if used with a CP running on a router.

  11. #11
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,009
    Quote Originally Posted by E-raser View Post
    yep, every site is allowed, I tested this also but I don't get redirected to the portal page if all ip's are allowed
    That's because the firewall rule redirecting HTTP requests to the portal page comes after the free authentication rule in EAP. Any Captive Portal using HTTP redirection needs to have almost all IPs blocked in order to be able to intercept HTTP traffic to any website (except a few you grant free access to).

  12. #12
    Maybe we can allow only the portal server IP and develop a algorithm that bring the Facebook auth page to our portal, because will be the server that request Facebook and get a "iframe" for example to our login page. Just an idea.

  13. #13
    Members R1D2 is on a distinguished road
    Join Date
    Dec 2015
    Posts
    1,009
    Quote Originally Posted by gjunior022 View Post
    Maybe we can allow only the portal server IP and develop a algorithm that bring the Facebook auth page to our portal, because will be the server that request Facebook and get a "iframe" for example to our login page. Just an idea.
    As soon as there is any interaction wit the guest's browser, it needs access to FB, not only to the portal. You could use a customized portal on base of OpenWRT, fbwlan as suggested by E-raser and one of the available Captive Portals instead of the EAC portal. That would be the easiest way.


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Copyright 1996-2017 TP-LINK Technologies Co., Ltd. All rights reserved.