Security

Reply
Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Android Google account setup not being permitted

[ Edited ]

Our current list of allowd Google destinations is fairly extensive, but Im sure was put together from various posts, kb articles or TAC advice... but we are again seeing issues, so not sure if something has been changed.

 

Although activated android devices can be onboarded ok, if you try to set up a new one, you arent able to set up a google account, the page simply doesnt display to allow you to do this.  This must vary from device to device, as some seem to work ok, but a recent batch of Samsung Galaxy Tab A's wont.  You go to set up your google account, and just get a blank page... 

 

Are we missing something from this list, although I rather suspect some of what is on it doesnt even need to be on it, but it had been working fine...

 

play.google.com
android.clients.google.com
*.ggpht.com
support.google.com
clients3.google.com
clients4.google.com
dl.google.com
apis.google.com
play.googleapis.com
www3.l.google.com
plus.google.com
*.l.googleusercontent.com
*.gvt1.com

Im sure you even used to be able to install QuickConnect without have a google account set up on the device, but you cant do this either, as this also presents you with the Google Account page, which cant sign in as it has a problem communicating with the Servers.. so we must be missing something off this list.

Moderator
Posts: 470
Registered: ‎11-09-2012

Re: Android Google account setup not being permitted

I'm sharing a list for Play/iTunes from a recent project we just completed..... Now I'm now sure how this can/may/will change outside of NA and the effects of regional CDN's but the below was a list from like two week back.

 

netdestination APPLE-ITUNES
  name *.apple.com
  name *.verisign.com
  network 17.0.0.0 255.0.0.0
  name *.akamaitechnologies.com
  name *.edgekey.net
  name *.akadns.net
  name *.aaplimg.com
  name *.icloud.com
  name *.mzstatic.com
  name *.itunes.com
  name *.akamai.net
  name apple.com
 
  
  netdestination GOOGLE-PLAY                        
  name *.android.clients.google.com
  name *.ggpht.com
  name *.gstatic.com
  name *.accounts.google.com
  name *.clients1.google.com
  name *.clients2.google.com
  name *.clients3.google.com
  name *.clients4.google.com
  name *.i.ytimg.com
  name *.google-analytics.com
  name *.android.l.google.com
  name *.mtalk.google.com
  name *.clients.l.google.com
  name *.googleapis.com
  name *.play.google.com
  name *.1e100.net
  name *.gvt1.com
  name *.l.googleusercontent.com
  name *.ggpht.net
  name android.clients.google.com
  name ggpht.com
  name gstatic.com
  name accounts.google.com                        
  name clients1.google.com                        
  name clients2.google.com                        
  name clients3.google.com                        
  name clients4.google.com                        
  name i.ytimg.com
  name google-analytics.com
  name android.l.google.com
  name mtalk.google.com
  name clients.l.google.com
  name googleapis.com
  name play.google.com
  name 1e100.net
  name gvt1.com
  name l.googleusercontent.com
  name ggpht.net
 
 
HTH

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: Android Google account setup not being permitted

[ Edited ]

Id hoped that would fix it, its an extensive list thanks!.. but I just get a page saying "Just a sec..." then... "there was a problem communicating with Google Servers".

 

Ive monitored the conneciton on our firewall, and see nothing being blocked.. so I can only assume whatever is trying to happen, isnt getting that far... 

 

What ports are you allowing for the above list?

 

Update...

Ok, so after some further investigation.. If I try to onboard my device that already has a google account setup, I can get to the play store, install quickconnect and onboard.. happy days.. but this was always the case.  What I cant do is go to Accounts and set up a new google account, it just cant talk to the google servers.  On one device it stated it couldnt get to accounts.google.com, so I added that, and I also did a packet capture on one device and saw nearly all the traffic generated when trying to add an account go to the already added 1e100.net domain, but still wont work.

 

Head, bang, brick wall!

Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: Android Google account setup not being permitted

Could someone who has a similar setup test to see if they can add a Google account to their device, whicnt in the captive portal role, pre suthentication?  The two devices I have tried both do the same and fail to display to Google Account login page.  They are running 5.0.2.

 

Adding that list does allow a fair bit of access to "google", inlcuding the ability to accesss the play store, however, this can only be done with a google account that we cant set up during this process.

Regular Contributor I
Posts: 182
Registered: ‎03-22-2013

Re: Android Google account setup not being permitted

Could this be anything to do with HSTS and captive portals??

 

If Im in the captiveportal role, which has the above list applied to both the cp whitelist and the user role.. I can access alot of google due to the above exceptions, but I cant actually sign into to a google account or create a new one. 

 

I had assumed that adding this list to the CP whitelist would essentially bypass the hsts issue, but it seems not for signing in/creating accounts.  I get an error about not being able to connect to accounts.google.com, and when I look at the extra info, it reference HSTS, despit the fact that I have added this domain to the list.

 

Is anyone able to test/confirm that when they are in the captive portal role that they cant add a google account to their device? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: