Is it possible to use Wireless authentication by Facebook and others social on AP ?

@FabioTerrone - We're working on requirement finalization for Social Login integration for Sophos Central based Wireless. This will enable us for other social login property (Google+, Twitter etc. - based on OATH 2.0). 

The timeline for this is late Q4'18 - Q1'19. 

Once the feature requirements are finalized we would like to touch base with you and see if I walk you through the use cases and flow. It would be great to get your feedback. 

Hi Shail,

Do you have some update about this feature, we are in a big project and this feature is required.

Best Regards.

Heleno Fagundes

Thank you for the update, Tejas.  I'll play with it this weekend.

If you can provide any links on setting this up from within Central, it would be appreciated.

Regards,

Joshua

Hi Joshua,

We are working on some how-to videos and other material which should be available early next week.

-Tejas

Hello,

Personally, keep it on the backburner.

Last thing I would be looking at is anything which combines facebook into my customers firewalls.

People want to set facebook with Sophos Central managed wifi, then fine. But not into the XG.

I don't know how the market is in Australia.

Here, if an hotel (in most cases family-run with 40 rooms or less) already has a WiFi system, you cannot simply say them: "Hey, you need to grab every AP and throw it in the trash bin, so I can sell you a (not cheap) WiFi system with social integration!"

So, you sell them an AP-independent social WiFi system coupled with an XG, and when a couple of years later you're ready to change the APs, they do already have something else that's working and they know how it works (and, today, that has more functionalities than Sophos).

It needs to work without central, and it needs to work without Sophos APs (and without WiFi at all)

Hello,

I can understand your request, and I can understand that in Backpacker style hostels it may be considered a requirement.

But my customers XG firewall, which has control of primary and backup internet connections, Office Server and Client network segregation, Corporate and guest Wifi will not be exposed to something as insecure and unreliable as Facebook for any form of authentication.

People can use it on their client devices, could even be a fully separate and secured set of devices hanging off a separate port on a firewall, but Facebook, Linkedin, Twitter, Snapchat will never be a part of the backend security model.

A definable way to open yourself up for endless nights of pain and work.

Not going to happen!

Yes, I got your point. Not completly sure you got mine :-)

I'll try to explain better: I'm not talking about how to authenticate "office users" and manage their connections between "production" network. I'm talking about guests.

We already have some kind of auto-registration on xg (through SMS): https://community.sophos.com/kb/en-us/131905

Of course, you can print 1000 tickets with guest user/password in a couple of minutes and leave the ticket in the room.

Both of those systems have some cons... 

So, what's needed is to integrate/replace them with socials: that's easier to use for customers who pay hundreds of eur/night even in a 4 star superior hotel and who don't want to lose time calling recetionists asking where they could find their credentials.

I don't think you fully understand the feature, which is offered by several other platforms.  

This would be for hotspots only, and would work as an alternative to simply having a completely open hotspot network.  It would require persons who join your network to at least divulge who they actually are when they join your hotspot through their social media profile.  This is absolutely not a replacement for Active Directory or similar authentication -- this is simply for promiscuous DMZ-style hotspot networks separate from regular network traffic.  It's literally just utilizing Facebook as a radius provider for a hotspot.

Hi,

I feel you need to look further at what you are wanting to achieve.

You want the Sophos XG to utilise facebook or other social media platforms as an authentication method for guest wifi. The reason, so you don't have to deploy multiple sets of hardware in a site, or manage multiple authentication systems. So you can lower the cost of installation and implementation

What you want is to be able to take what will be the primary security device for a network and add an authentication system with little to no checks and balances. Something from a provider with more regard for the money they make from data mining and less about actual security.

While you are talking about only using it for a guest wifi network, once it is a protocol located and enabled inside the primary firewall device, it will be able to be configured for more than just guest wifi. So a misconfiguration allows it to authenticate to a primary network. A buffer overflow or other bug in a system allows for an authenticated access outside the guest configuration.

I don't see a problem with having the Facebook Authentication run in Sophos Central, and maybe the better request is to configure an isolated Wifi network on XG managed networks where Sophos Central is the authentication provider.

But there is something for keeping the primary firewall points free of insecure authentication protocols.

Gavin,

I’m sure I’m very aware of what I’d like to achieve.  What we’re looking for is functionality offered by most other players for 2+ years, and we really do not care how it is done.  This should have existed for quite some time.

GavinDaniels said:

But there is something for keeping the primary firewall points free of insecure authentication protocols.

Honestly, the pairing of firewall and AP management on the same device is really what makes this much more complicated than it otherwise should be, as wireless configuration and hotspot creation are unfortunately done on the firewall device. I’d be happy if Sophos offered some kind of proxy authentication device, or utilized some kind of hosted authentication Proxy solution like central, etc.  Whatever works.  Let’s do it.

Otherwise, it would seem a Sophos company recommendation of not purchasing Sophos AP’s for hospitality would be something that should be more strongly advised throughout the channel.   This really should be an offered feature, though; Sophos WiFi is absolutely a considerable investment.

Eventually, I would expect Sophos to take some kind of quasi-serious stab at the hospitality vertical, and that may require considering the functionality that customers request.  This has been requested and promised for quite some time now, and not just on this particular thread.

Regards,

Joshua

Just wanted to close the loop on this thread-

Here is the link with instructions on how to integrate using Sophos Central:

https://community.sophos.com/products/sophoswireless/f/recommended-reads/117277/how-to-set-up-social-login-using-facebook

Just wanted to close the loop on this thread-

Here is the link with instructions on how to integrate using Sophos Central:

https://community.sophos.com/products/sophoswireless/f/recommended-reads/117277/how-to-set-up-social-login-using-facebook