Introduction : There could be occasions when we need to permit Google play store access for guest users, A common example could be a hotel environment where unauthenticated users are allowed to access the hotel website and directed to Google play store to download their Apps.
Environment : This article applies to all controller models and AOS versions 6.1.3.x and higher.
Configuration Steps :
The Google Play app store (play.google.com) is a cloud service, and the addresses it uses may change regularly. This presents a challenge to permit access to those ranges. The current solution is to permit these addresses that are known to be used by the Android Marketplace, as shown here:
The configuration is about creating an alias with the above URL’s and a firewall policy where you can permit traffic to the alias.
Step 1: Create an Alias
(Aruba3200XM) #configure t
(Aruba3200XM) (config) #netdestination Google-Play
(Aruba3200XM) (config-dest) #name android.clients.google.com
(Aruba3200XM) (config-dest) #name *.ggpht.com
(Aruba3200XM) (config-dest) #name play.google.com
Step 2: Create the session-based access list.
(Aruba3200XM) (config) #ip access-list session google-play
(Aruba3200XM) (config-sess-google-play)#user alias Google-Play any permit
Step 3: Assign the session-based access list to the guest captive portal pre-auth user role.
(Aruba3200XM) (config) #user-role guest-logon
(Aruba3200XM) (config-role) #session-acl google-play position 3
Verification :
(Aruba3200XM) #show netdestination
Name: Google-Play
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 name 0.0.0.1 android.clients.google.com
2 name 0.0.0.2 *.ggpht.com
3 name 0.0.0.3 play.google.com
(Aruba3200) #show rights guest-logon
Derived Role = 'guest-logon'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 6/0
Max Sessions = 65535
Captive Portal profile = default
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 ra-guard session
2 logon-control session
3 google-play session
4 captiveportal session
5 v6-logon-control session
6 captiveportal6 session
.
.
.
google-play
-----------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user Google-Play any permit Low 4
Troubleshooting :
- Make sure ip name-server, ip domain-name and ip domain lookup are configured on the controller.
- Also you must have a PEFNG license to configure or view a destination.