Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Diego Garcia del Rio via PacketFence-users]

Hi Giovanni

indeed.. if you're using it for guest access then what you describe is
really the only viable option or just bypass the authentication at
all. Are you using the google sign in just to collect the email
addresses for guests? you could alternatively use the email login
where the user enters (manually) an email address.

On android devices the google login is sometimes an issue as the main
account gets selected automatically and might not be the one that the
user wants to use.

On my sites I stopped using google as an auhentication source (via
oAuth) due to these issues and the hassle created for end users.


On Wed, Jun 12, 2024 at 3:24 PM Giovanni Trapasso
 wrote:
>
> Hi Diego,
>
> Thanks for your reply.
>
> We are using this for our Guest SSID, we don't want our internal Google users 
> to use it.  Have not experienced any issues with Android clients.
>
> For anyone else who might be experiencing this blocking issue from Google we 
> wrote up a workaround for people using iPhone and Google.
>
> 1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings and 
> connect to the Guest network.
> 2.Choose Google as Authenticator Provider: When prompted for 
> authentication, select "Google" as your authenticator provider
> 3.Agree to Terms: Accept the terms and conditions presented on the screen.
> 4.Bypass Access Block Page: If you encounter an access block page, simply 
> tap "Cancel" to proceed.
> 5.Opt for Offline Use: Select the option to use the internet "Without 
> Internet" or "Offline Mode" if prompted.
> 6.Open Safari and Enter URL: Launch Safari web browser and type in the 
> URL "captive.apple.com" in the address bar.
> 7.Sign in with Google Account: Follow the on-screen prompts to 
> authenticate using your Google account credentials.
>
> On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio  
> wrote:
>>
>> the only way to get proper google authentication is using the ldap
>> integration and your own google workspace domain (asuming you want to
>> authenticate users from the ualberta.ca domain). It wont work for
>> generic gmail.com users though
>>
>> to do this, you need to enable Secure LDAP in the google workspace admin.
>>
>> Android users are also similarly affected, though in some cases, the
>> OS launches the full browser instead of the captive portal limited
>> browser.
>>
>>
>> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
>> PacketFence-users  wrote:
>> >
>> > Hi Everyone,
>> >
>> > I just deployed a PacketFence captive portal for my guest wireless with 
>> > Google as one of my Authentication Sources.  I have started receiving 
>> > complaints when apple iphone users are trying to use the google option to 
>> > authenticate on my captive portal.  They press the Google button, they get 
>> > the acceptable use page but right after they press the accept button they 
>> > get an error from accounts.google.com.  The error is similar to this:
>> >
>> > "
>> > Access Blocked: Google appsheet's request does not comply with 
>> > Google's Policies
>> >
>> >  request does not comply with Google's 'Use secure browsers' 
>> > policy. if this app has a website, you can open a web browser and try 
>> > signing in from there. if you are attempting to access a wireless network, 
>> > Please follow these instructions.
>> >
>> > You can also contact the developer to let them know that their app must 
>> > comply with Google's 'Use secure browser' policy.
>> >
>> > Learn more about the error
>> >
>> > If you are developer of . See error details.
>> >
>> > Error: 403: disallowed_useragent
>> > "
>> >
>> > Of course this is due to a security policy Google is enforcing.  My 
>> > captive portal is working fine with all types of other devices, even the 
>> > Apple iPad, but Apple iPhones are seeing this issue.
>> >
>> > I am curious how many others are experiencing this issue and what they are 
>> > doing about this?  I have 2 other authentication sources for my guest 
>> > users to choose from so it might not be a big deal
>> > --
>> >
>> >
>> > ___
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> ___
> Giovanni Trapasso
> Digital Networks and Data Center Services
> Information Services & Technology (IST)
> 269 General Services Building
> University of Alberta
> Edmonton, Alberta, Canada
> T6G 2E5
>
> Phone: (780) 492-4696
>
> To open a Technical Service call with IST go to:
> https://ist.ualberta.ca/
>
> ** This communication is intended for the use of the recipient to whom it is 
> addressed, and may contain confidential, personal, and/or privileged 
> information. Please contact me immediately if you are not the intended 
> recipient of this communication, and do not copy, distribute, or take action 
> relying on it. Any 

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Giovanni Trapasso via PacketFence-users]

Hi Diego,

In the past we only had a button to allow people on our Guest network.  I
did not like it but people wanted things to be easy for guests to get
access to our campus.  Another issue is we have students using the Guest
network instead of Eduroam, no clue why because we throttle the Guest
network quite a bit.

Anyways we wanted to get a Captive Portal running so that we can force
people to put some kind of credentials, we really don't care who they are
and we will never reach out to them unless they did something wrong on our
network.  But the added benefit is we can now reject our students
university gmail account and hopefully get them to use Eduroam.

Just additional weirdness regarding iPhone and Google.  iPads don't have
this issue.  you connect, you press Google, you are redirected to
accounts.google.com and no issues with Google blocking.

On Wed, Jun 12, 2024 at 1:38 PM Diego Garcia del Rio 
wrote:

> Hi Giovanni
>
> indeed.. if you're using it for guest access then what you describe is
> really the only viable option or just bypass the authentication at
> all. Are you using the google sign in just to collect the email
> addresses for guests? you could alternatively use the email login
> where the user enters (manually) an email address.
>
> On android devices the google login is sometimes an issue as the main
> account gets selected automatically and might not be the one that the
> user wants to use.
>
> On my sites I stopped using google as an auhentication source (via
> oAuth) due to these issues and the hassle created for end users.
>
>
> On Wed, Jun 12, 2024 at 3:24 PM Giovanni Trapasso
>  wrote:
> >
> > Hi Diego,
> >
> > Thanks for your reply.
> >
> > We are using this for our Guest SSID, we don't want our internal Google
> users to use it.  Have not experienced any issues with Android clients.
> >
> > For anyone else who might be experiencing this blocking issue from
> Google we wrote up a workaround for people using iPhone and Google.
> >
> > 1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings
> and connect to the Guest network.
> > 2.Choose Google as Authenticator Provider: When prompted for
> authentication, select "Google" as your authenticator provider
> > 3.Agree to Terms: Accept the terms and conditions presented on the
> screen.
> > 4.Bypass Access Block Page: If you encounter an access block page,
> simply tap "Cancel" to proceed.
> > 5.Opt for Offline Use: Select the option to use the internet
> "Without Internet" or "Offline Mode" if prompted.
> > 6.Open Safari and Enter URL: Launch Safari web browser and type in
> the URL "captive.apple.com" in the address bar.
> > 7.Sign in with Google Account: Follow the on-screen prompts to
> authenticate using your Google account credentials.
> >
> > On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio 
> wrote:
> >>
> >> the only way to get proper google authentication is using the ldap
> >> integration and your own google workspace domain (asuming you want to
> >> authenticate users from the ualberta.ca domain). It wont work for
> >> generic gmail.com users though
> >>
> >> to do this, you need to enable Secure LDAP in the google workspace
> admin.
> >>
> >> Android users are also similarly affected, though in some cases, the
> >> OS launches the full browser instead of the captive portal limited
> >> browser.
> >>
> >>
> >> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
> >> PacketFence-users  wrote:
> >> >
> >> > Hi Everyone,
> >> >
> >> > I just deployed a PacketFence captive portal for my guest wireless
> with Google as one of my Authentication Sources.  I have started receiving
> complaints when apple iphone users are trying to use the google option to
> authenticate on my captive portal.  They press the Google button, they get
> the acceptable use page but right after they press the accept button they
> get an error from accounts.google.com.  The error is similar to this:
> >> >
> >> > "
> >> > Access Blocked: Google appsheet's request does not comply
> with Google's Policies
> >> >
> >> >  request does not comply with Google's 'Use secure
> browsers' policy. if this app has a website, you can open a web browser and
> try signing in from there. if you are attempting to access a wireless
> network, Please follow these instructions.
> >> >
> >> > You can also contact the developer to let them know that their app
> must comply with Google's 'Use secure browser' policy.
> >> >
> >> > Learn more about the error
> >> >
> >> > If you are developer of . See error details.
> >> >
> >> > Error: 403: disallowed_useragent
> >> > "
> >> >
> >> > Of course this is due to a security policy Google is enforcing.  My
> captive portal is working fine with all types of other devices, even the
> Apple iPad, but Apple iPhones are seeing this issue.
> >> >
> >> > I am curious how many others are experiencing this issue and what
> they are doing about this?  I have 2 other authentication 

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Giovanni Trapasso via PacketFence-users]

Hi Diego,

Thanks for your reply.

We are using this for our Guest SSID, we don't want our internal Google
users to use it.  Have not experienced any issues with Android clients.

For anyone else who might be experiencing this blocking issue from Google
we wrote up a workaround for people using iPhone and Google.

1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings
and connect to the Guest network.
2.Choose Google as Authenticator Provider: When prompted for
authentication, select "Google" as your authenticator provider
3.Agree to Terms: Accept the terms and conditions presented on the
screen.
4.Bypass Access Block Page: If you encounter an access block page,
simply tap "Cancel" to proceed.
5.Opt for Offline Use: Select the option to use the internet "Without
Internet" or "Offline Mode" if prompted.
6.Open Safari and Enter URL: Launch Safari web browser and type in the
URL "captive.apple.com" in the address bar.
7.Sign in with Google Account: Follow the on-screen prompts to
authenticate using your Google account credentials.

On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio 
wrote:

> the only way to get proper google authentication is using the ldap
> integration and your own google workspace domain (asuming you want to
> authenticate users from the ualberta.ca domain). It wont work for
> generic gmail.com users though
>
> to do this, you need to enable Secure LDAP in the google workspace admin.
>
> Android users are also similarly affected, though in some cases, the
> OS launches the full browser instead of the captive portal limited
> browser.
>
>
> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
> PacketFence-users  wrote:
> >
> > Hi Everyone,
> >
> > I just deployed a PacketFence captive portal for my guest wireless with
> Google as one of my Authentication Sources.  I have started receiving
> complaints when apple iphone users are trying to use the google option to
> authenticate on my captive portal.  They press the Google button, they get
> the acceptable use page but right after they press the accept button they
> get an error from accounts.google.com.  The error is similar to this:
> >
> > "
> > Access Blocked: Google appsheet's request does not comply
> with Google's Policies
> >
> >  request does not comply with Google's 'Use secure browsers'
> policy. if this app has a website, you can open a web browser and try
> signing in from there. if you are attempting to access a wireless network,
> Please follow these instructions.
> >
> > You can also contact the developer to let them know that their app must
> comply with Google's 'Use secure browser' policy.
> >
> > Learn more about the error
> >
> > If you are developer of . See error details.
> >
> > Error: 403: disallowed_useragent
> > "
> >
> > Of course this is due to a security policy Google is enforcing.  My
> captive portal is working fine with all types of other devices, even the
> Apple iPad, but Apple iPhones are seeing this issue.
> >
> > I am curious how many others are experiencing this issue and what they
> are doing about this?  I have 2 other authentication sources for my guest
> users to choose from so it might not be a big deal
> > --
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 
___
Giovanni Trapasso
Digital Networks and Data Center Services
Information Services & Technology (IST)
269 General Services Building
University of Alberta
Edmonton, Alberta, Canada
T6G 2E5

Phone: (780) 492-4696

To open a Technical Service call with IST go to:
https://ist.ualberta.ca/ 

** This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and/or privileged
information. Please contact me immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communication received in error, or subsequent
reply, should be deleted or destroyed.**
___
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Diego Garcia del Rio via PacketFence-users]

the only way to get proper google authentication is using the ldap
integration and your own google workspace domain (asuming you want to
authenticate users from the ualberta.ca domain). It wont work for
generic gmail.com users though

to do this, you need to enable Secure LDAP in the google workspace admin.

Android users are also similarly affected, though in some cases, the
OS launches the full browser instead of the captive portal limited
browser.


On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
PacketFence-users  wrote:
>
> Hi Everyone,
>
> I just deployed a PacketFence captive portal for my guest wireless with 
> Google as one of my Authentication Sources.  I have started receiving 
> complaints when apple iphone users are trying to use the google option to 
> authenticate on my captive portal.  They press the Google button, they get 
> the acceptable use page but right after they press the accept button they get 
> an error from accounts.google.com.  The error is similar to this:
>
> "
> Access Blocked: Google appsheet's request does not comply with 
> Google's Policies
>
>  request does not comply with Google's 'Use secure browsers' 
> policy. if this app has a website, you can open a web browser and try signing 
> in from there. if you are attempting to access a wireless network, Please 
> follow these instructions.
>
> You can also contact the developer to let them know that their app must 
> comply with Google's 'Use secure browser' policy.
>
> Learn more about the error
>
> If you are developer of . See error details.
>
> Error: 403: disallowed_useragent
> "
>
> Of course this is due to a security policy Google is enforcing.  My captive 
> portal is working fine with all types of other devices, even the Apple iPad, 
> but Apple iPhones are seeing this issue.
>
> I am curious how many others are experiencing this issue and what they are 
> doing about this?  I have 2 other authentication sources for my guest users 
> to choose from so it might not be a big deal
> --
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users