Controller Based WLANs

How to permit Google play store access for captive portal guest users?

by on ‎07-05-2014 06:01 PM

Introduction : There could be occasions when we need to permit Google play store access for guest users, A common example could be a hotel environment where unauthenticated users are allowed to access the hotel website and directed to Google play store to download their Apps.

 

Environment : This article applies to all controller models and AOS versions 6.1.3.x and higher.

 

Configuration Steps :

 

The Google Play app store (play.google.com) is a cloud service, and the addresses it uses may change regularly. This presents a challenge to permit access to those ranges. The current solution is to permit these addresses that are known to be used by the Android Marketplace, as shown here:

  • .ggpht.com

  • android.clients.google.com

  • play.google.com
     

The configuration is about creating an alias with the above URL’s and a firewall policy where you can permit traffic to the alias.

Step 1: Create an Alias

(Aruba3200XM) #configure t
(Aruba3200XM) (config) #netdestination Google-Play
(Aruba3200XM) (config-dest) #name android.clients.google.com
(Aruba3200XM) (config-dest) #name *.ggpht.com
(Aruba3200XM) (config-dest) #name play.google.com  


 Step 2: Create the session-based access list.

(Aruba3200XM) (config) #ip access-list session google-play
(Aruba3200XM) (config-sess-google-play)#user alias Google-Play any permit



Step 3: Assign the session-based access list to the guest captive portal pre-auth user role.

(Aruba3200XM) (config) #user-role guest-logon
(Aruba3200XM) (config-role) #session-acl google-play position 3

 

 

Verification :

 

(Aruba3200XM) #show netdestination

Name: Google-Play
Position  Type  IP addr   Mask-Len/Range
--------  ----  -------   --------------
1         name  0.0.0.1   android.clients.google.com
2         name  0.0.0.2   *.ggpht.com
3         name  0.0.0.3   play.google.com


(Aruba3200) #show rights guest-logon

Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 6/0
 Max Sessions = 65535

 Captive Portal profile = default

access-list List
----------------
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session
2         logon-control     session
3         google-play       session
4         captiveportal     session
5         v6-logon-control  session
6         captiveportal6    session

   .
   .
   .

google-play
-----------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    Google-Play  any      permit                           Low                                                           4

 

Troubleshooting :

 

  • Make sure ip name-server, ip domain-name and ip domain lookup are configured on the controller.
  • Also you must have a PEFNG license to configure or view a destination.

 

Comments
christopher_mcgee

Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence! 

 

Thanks,

Chris

joecarter

Doesn't work for me.  Is this a current exhaustive list?

Guru Elite Guru Elite

Here is my current working nestdest:

 

netdestination GOOGLE-PLAY
  name *.l.googleusercontent.com
  name android.clients.google.com
  name *.gvt1.com
  name *.ggpht.com
!
joecarter

Thanks - working now.  I think it was the missing *.gvt1.com rule that was preventing the app from actually downloading from the Play Store.

KadeCole

I can also confirm that the following works for me:

 

netdestination GOOGLE-PLAY
  name *.l.googleusercontent.com
  name android.clients.google.com
  name *.gvt1.com
  name *.ggpht.com
  name play.google.com
!

This does not work for me in India...Anyone can help?

 

I can access play store but when i click on download it's stuck there forever and never proceeds.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.