Walled Garden for the Social Login
Renato.neves (Talk | contribs) (→LinkedIn Login) |
Renato.neves (Talk | contribs) (→Apple Login) |
||
(16 intermediate revisions by 2 users not shown) | |||
Line 12: | Line 12: | ||
*.socialidnow.com | *.socialidnow.com | ||
+ | *.coffeebeantech.com | ||
=== Facebook Login === | === Facebook Login === | ||
Line 19: | Line 20: | ||
*.facebook.net | *.facebook.net | ||
*.fbcdn.net | *.fbcdn.net | ||
+ | *.xx.fbcdn.net | ||
*.fbsbx.com | *.fbsbx.com | ||
*.akamaihd.net | *.akamaihd.net | ||
*.akamaiedge.net | *.akamaiedge.net | ||
+ | <!-- *.atdmt.com --> | ||
For some devices, such as iOS, the Facebook also loads URLs from Google domain. In order to prevent issues like "Error opening page" alerts that are showed on Apple CNA, you also needs to add the following Google domains: | For some devices, such as iOS, the Facebook also loads URLs from Google domain. In order to prevent issues like "Error opening page" alerts that are showed on Apple CNA, you also needs to add the following Google domains: | ||
*.doubleclick.net | *.doubleclick.net | ||
− | + | <!-- *.google.com | |
− | *.google.com.br (for Brazil deployments) | + | *.google.com.br (for Brazil deployments) --> |
− | + | === Google Login === | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | === Google | + | |
*.gstatic.com | *.gstatic.com | ||
*.googleusercontent.com | *.googleusercontent.com | ||
− | |||
*.googleapis.com | *.googleapis.com | ||
+ | *.google.com | ||
+ | *.google.com.br (for Brazil deployments) | ||
=== Twitter Login === | === Twitter Login === | ||
Line 51: | Line 49: | ||
*.licdn.com | *.licdn.com | ||
*.linkedin.com | *.linkedin.com | ||
+ | |||
+ | When the LinkedIn detects unusual login activity it may perform a security check using Google's reCAPTCHA solution. For these cases it's recommended to add the following domains to the walled garden also: | ||
+ | |||
+ | *.gstatic.com | ||
+ | *.google.com | ||
+ | *.recaptcha.net | ||
=== Instagram Login === | === Instagram Login === | ||
Line 57: | Line 61: | ||
*.facebook.com | *.facebook.com | ||
*.fbcdn.net | *.fbcdn.net | ||
+ | |||
+ | === Apple Login === | ||
+ | |||
+ | appleid.apple.com | ||
+ | www.apple.com | ||
+ | appleid.cdn-apple.com | ||
+ | *.mzstatic.com | ||
=== Google Analytics === | === Google Analytics === | ||
Line 108: | Line 119: | ||
==== Production: South America (sa-east) ==== | ==== Production: South America (sa-east) ==== | ||
− | + | 3.5.232.0/22 | |
− | 18. | + | 15.177.70.0/23 |
+ | 15.177.88.0/24 | ||
+ | 15.228.0.0/15 | ||
+ | 18.228.0.0/14 | ||
52.67.0.0/16 | 52.67.0.0/16 | ||
52.94.248.48/28 | 52.94.248.48/28 | ||
Line 117: | Line 131: | ||
54.207.0.0/16 | 54.207.0.0/16 | ||
54.232.0.0/15 | 54.232.0.0/15 | ||
+ | 64.252.78.0/23 | ||
+ | 64.252.80.0/23 | ||
+ | 99.77.149.0/24 | ||
177.71.128.0/17 | 177.71.128.0/17 | ||
==== Production: Europe Central (eu-central) ==== | ==== Production: Europe Central (eu-central) ==== | ||
− | 3.120.0.0/ | + | 3.5.134.0/23 |
+ | 3.5.136.0/22 | ||
+ | 3.64.0.0/12 | ||
+ | 3.120.0.0/13 | ||
+ | 15.177.68.0/23 | ||
+ | 15.193.4.0/24 | ||
18.153.0.0/16 | 18.153.0.0/16 | ||
+ | 18.156.0.0/14 | ||
18.184.0.0/15 | 18.184.0.0/15 | ||
− | 18. | + | 18.192.0.0/13 |
− | + | ||
35.156.0.0/14 | 35.156.0.0/14 | ||
52.28.0.0/15 | 52.28.0.0/15 | ||
Line 135: | Line 157: | ||
52.95.255.128/28 | 52.95.255.128/28 | ||
54.93.0.0/16 | 54.93.0.0/16 | ||
+ | 64.252.86.0/23 | ||
+ | 64.252.88.0/23 | ||
+ | 99.77.136.0/24 | ||
+ | 99.77.158.0/24 | ||
+ | 99.77.247.0/24 | ||
+ | 99.150.16.0/21 | ||
==== Staging: United States (us-east) ==== | ==== Staging: United States (us-east) ==== | ||
Line 151: | Line 179: | ||
69.171.224.0/19 | 69.171.224.0/19 | ||
74.119.76.0/22 | 74.119.76.0/22 | ||
+ | 102.132.96.0/20 | ||
103.4.96.0/22 | 103.4.96.0/22 | ||
129.134.0.0/16 | 129.134.0.0/16 | ||
+ | 147.75.208.0/20 | ||
157.240.0.0/16 | 157.240.0.0/16 | ||
173.252.64.0/18 | 173.252.64.0/18 | ||
179.60.192.0/22 | 179.60.192.0/22 | ||
185.60.216.0/22 | 185.60.216.0/22 | ||
+ | 185.89.216.0/22 | ||
199.201.64.0/22 | 199.201.64.0/22 | ||
204.15.20.0/22 | 204.15.20.0/22 | ||
Line 187: | Line 218: | ||
108.174.0.0/20 | 108.174.0.0/20 | ||
144.2.0.0/22 | 144.2.0.0/22 | ||
+ | 144.2.4.0/23 | ||
144.2.7.0/24 | 144.2.7.0/24 | ||
+ | 144.2.8.0/21 | ||
+ | 144.2.16.0/24 | ||
144.2.192.0/22 | 144.2.192.0/22 | ||
185.63.144.0/23 | 185.63.144.0/23 | ||
Line 223: | Line 257: | ||
104.132.0.0/16 | 104.132.0.0/16 | ||
104.133.0.0/17 | 104.133.0.0/17 | ||
+ | 104.134.92.0/24 | ||
104.134.128.0/17 | 104.134.128.0/17 | ||
104.154.0.0/15 | 104.154.0.0/15 | ||
Line 240: | Line 275: | ||
162.216.148.0/22 | 162.216.148.0/22 | ||
162.222.176.0/21 | 162.222.176.0/21 | ||
− | |||
172.110.32.0/21 | 172.110.32.0/21 | ||
172.217.0.0/16 | 172.217.0.0/16 | ||
Line 247: | Line 281: | ||
173.255.112.0/20 | 173.255.112.0/20 | ||
185.25.28.0/23 | 185.25.28.0/23 | ||
− | |||
− | |||
192.158.28.0/22 | 192.158.28.0/22 | ||
192.178.0.0/15 | 192.178.0.0/15 | ||
+ | 193.186.4.0/24 | ||
199.36.154.0/23 | 199.36.154.0/23 | ||
− | 199.36.156.0/ | + | 199.36.156.0/23 |
199.192.112.0/22 | 199.192.112.0/22 | ||
199.223.232.0/21 | 199.223.232.0/21 | ||
Line 258: | Line 291: | ||
208.65.152.0/22 | 208.65.152.0/22 | ||
208.68.108.0/22 | 208.68.108.0/22 | ||
+ | 208.76.68.0/22 | ||
208.81.188.0/22 | 208.81.188.0/22 | ||
+ | 208.87.172.0/22 | ||
208.117.224.0/19 | 208.117.224.0/19 | ||
209.85.128.0/17 | 209.85.128.0/17 | ||
− | |||
216.58.192.0/19 | 216.58.192.0/19 | ||
216.73.80.0/20 | 216.73.80.0/20 | ||
216.239.32.0/19 | 216.239.32.0/19 | ||
− |
Revision as of 20:53, 8 November 2021
In order to enable social and traditional logins you need to configure a list of URLs that the users need to have access without being authenticated in the Wi-Fi network.
This list of URLs, called Walled Garden, can be configured based on domain names or IPs. The most effective configuration is based on domain names, once most of current social networks and applications use dynamic IPs and CDNs to deliver their services, which is very difficult to track all IPs ranges being used.
Contents |
Walled Garden by domain names
Check if your vendor has full support to Walled Garden by DNS names. Some vendors accept domain names but resolve them to IP just once, which do not work for current applications using dynamic IP ranges.
The following list of domains includes the subdomains required to be whitelisted using the *. wildcard. Depending of your vendor, it may not be necessary to include the *. wildcard, adding just the domain already includes all its subdomains. Check your vendor specifications.
CoffeeBean Identity and Access Platform
*.socialidnow.com *.coffeebeantech.com
Facebook Login
facebook.com *.facebook.com *.facebook.net *.fbcdn.net *.xx.fbcdn.net *.fbsbx.com *.akamaihd.net *.akamaiedge.net
For some devices, such as iOS, the Facebook also loads URLs from Google domain. In order to prevent issues like "Error opening page" alerts that are showed on Apple CNA, you also needs to add the following Google domains:
*.doubleclick.net
Google Login
*.gstatic.com *.googleusercontent.com *.googleapis.com *.google.com *.google.com.br (for Brazil deployments)
Twitter Login
*.twimg.com *.twitter.com
LinkedIn Login
*.licdn.com *.linkedin.com
When the LinkedIn detects unusual login activity it may perform a security check using Google's reCAPTCHA solution. For these cases it's recommended to add the following domains to the walled garden also:
*.gstatic.com *.google.com *.recaptcha.net
Instagram Login
*.instagram.com *.facebook.com *.fbcdn.net
Apple Login
appleid.apple.com www.apple.com appleid.cdn-apple.com *.mzstatic.com
Google Analytics
*.google-analytics.com *.googletagmanager.com
YouTube
*.youtube.com *.ytimg.com *.google.com *.gstatic.com *.doubleclick.net *.googlevideo.com *.googleadservices.com
Also add the google.com domain for your country, for example: *.google.com.br (Brazil).
Bypass Apple CNA
Sometimes you want to bypass the Apple CNA (Captive Network Assistant) portal. Add the following urls to disable it:
apple.com captive.apple.com appleiphonecell.com ibook.info itools.info thinkdifferent.us
Bypass Android Captive Portal Login
Sometimes you want to bypass the Android Captive Portal Login browser. Add the following domains to disable it:
connectivitycheck.gstatic.com connectivitycheck.android.com clients3.google.com
Walled Garden by IP ranges
Important: the following list of IPs can change over time. You need to regularly check if new ranges were added or removed in order to keep all services working as expected. You can also inform us if any new IP range was added to a service by sending an email to support@socialidnow.com.
This list of IPs was generated based on the IP Address Blocks from public AS Numbers (ASN) of the following services. These ranges are very wide which can lead to security breaches or enabling unwanted services. In some cases you can restrict ranges to the ones used in your country.
CoffeeBean Identity and Access Platform
The CoffeeBean Platform can be used from different regions.
Consider one of the following lists according to your Captive Portal region deployment:
Production: South America (sa-east)
3.5.232.0/22 15.177.70.0/23 15.177.88.0/24 15.228.0.0/15 18.228.0.0/14 52.67.0.0/16 52.94.248.48/28 52.95.240.0/24 52.95.255.0/28 54.94.0.0/16 54.207.0.0/16 54.232.0.0/15 64.252.78.0/23 64.252.80.0/23 99.77.149.0/24 177.71.128.0/17
Production: Europe Central (eu-central)
3.5.134.0/23 3.5.136.0/22 3.64.0.0/12 3.120.0.0/13 15.177.68.0/23 15.193.4.0/24 18.153.0.0/16 18.156.0.0/14 18.184.0.0/15 18.192.0.0/13 35.156.0.0/14 52.28.0.0/15 52.46.184.0/22 52.57.0.0/16 52.58.0.0/15 52.94.248.112/28 52.95.248.0/24 52.95.255.128/28 54.93.0.0/16 64.252.86.0/23 64.252.88.0/23 99.77.136.0/24 99.77.158.0/24 99.77.247.0/24 99.150.16.0/21
Staging: United States (us-east)
178.128.135.142 206.189.236.3 18.228.104.17
Facebook/Instagram Login
31.13.24.0/21 31.13.64.0/18 45.64.40.0/22 66.220.144.0/20 69.63.176.0/20 69.171.224.0/19 74.119.76.0/22 102.132.96.0/20 103.4.96.0/22 129.134.0.0/16 147.75.208.0/20 157.240.0.0/16 173.252.64.0/18 179.60.192.0/22 185.60.216.0/22 185.89.216.0/22 199.201.64.0/22 204.15.20.0/22
Twitter Login
64.63.0.0/18 69.12.56.0/21 69.195.160.0/19 103.55.162.0/24 103.252.112.0/22 104.244.40.0/21 185.45.4.0/22 192.44.68.0/23 192.48.236.0/23 192.133.76.0/22 199.16.156.0/22 199.59.148.0/22 199.69.58.0/23 199.96.56.0/21 202.160.128.0/22 209.237.192.0/19
LinkedIn Login
8.22.161.0/24 64.152.25.0/24 70.42.142.0/24 103.20.92.0/22 108.174.0.0/20 144.2.0.0/22 144.2.4.0/23 144.2.7.0/24 144.2.8.0/21 144.2.16.0/24 144.2.192.0/22 185.63.144.0/23 185.63.147.0/24 199.101.161.0/24 204.2.228.0/24 208.50.161.0/24 208.203.151.0/24
Google Login
8.8.4.0/24 8.8.8.0/24 8.15.202.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20 23.251.128.0/19 34.64.0.0/10 35.184.0.0/13 35.192.0.0/11 35.224.0.0/12 35.240.0.0/13 45.121.228.0/22 64.15.112.0/20 64.233.160.0/19 66.102.0.0/20 66.249.64.0/19 70.32.128.0/19 72.14.192.0/18 74.114.24.0/21 74.125.0.0/16 89.207.231.0/24 103.62.64.0/22 104.132.0.0/16 104.133.0.0/17 104.134.92.0/24 104.134.128.0/17 104.154.0.0/15 104.196.0.0/14 107.167.160.0/19 107.178.192.0/18 108.59.80.0/20 108.170.192.0/18 108.177.0.0/17 113.197.106.0/24 130.211.0.0/16 136.22.64.0/23 136.22.86.0/23 136.112.0.0/12 142.250.0.0/15 146.148.0.0/17 162.216.148.0/22 162.222.176.0/21 172.110.32.0/21 172.217.0.0/16 172.253.0.0/16 173.194.0.0/16 173.255.112.0/20 185.25.28.0/23 192.158.28.0/22 192.178.0.0/15 193.186.4.0/24 199.36.154.0/23 199.36.156.0/23 199.192.112.0/22 199.223.232.0/21 207.223.160.0/20 208.65.152.0/22 208.68.108.0/22 208.76.68.0/22 208.81.188.0/22 208.87.172.0/22 208.117.224.0/19 209.85.128.0/17 216.58.192.0/19 216.73.80.0/20 216.239.32.0/19