02-25-2015 05:13 PM
Ive been trying to get onboarding working for Android, i have been searchign through this forum and have aggregated about 20 netdestinations for names and IP ranges but I can get to the play store but cannot download quick connect.
(If i put an allowall policy in the role to test i can download fine)
Is there / does any one have an updated list of names and IP ranges that need to permitted to get google play store to work? IOS works like a dream but android is a PITA!
Giving google is pushing into the business market, why do they keep changing IP ranges and names and screw over BYOD solutions :\
Thanks for any help.
Solved! Go to Solution.
02-25-2015 05:16 PM - edited 02-25-2015 05:17 PM
Here's what I use and it works without issue:
netdestination GOOGLE-PLAY name *.l.googleusercontent.com name android.clients.google.com !
aaa authentication captive-portal "EMPLOYEE-BYOD-ENROLL" redirect-pause 0 no logout-popup-window login-page "https://URL/onboard/landing.php/ip-employee-byod_
provisioning.php" no enable-welcome-page white-list "CLEARPASS-PROD" white-list "ENTRUST-OCSP" white-list "GOOGLE-PLAY" !
02-25-2015 05:54 PM
Thanks for your reply, unfortunantly my netdestination already included those two names.
I did even create a new net destination and add only those two exactly the same as yours and put it in the whitelist (removed the old ) with no success.
I even tried an older android device as mine is running the latest version to make sure it was a version thing with no success.
Possibly in Australia, we get redirected to diffirent URL's :( as it sure doesnt work.
In fact i did put an allow all and montiroed it through our firewall and i could see it actually downloads the quickconnect cleint all 1.6meg from googlevideo.com :\ which i also have in my 20 odd netdestiantion with no success.
Very fustrating. :\ but thanks for your reply.
02-25-2015 06:01 PM
Can you do a packet-capture with the allow all and go through the process? You can then filter by DNS.
02-25-2015 06:07 PM
Yea that makes sense.
IS there an easy way to do it on the controller? When i tried to packet capure my client the other day it jsut sends a heap of wlan frames to my wireshark client :\ Was really unuseful.
I thought there must be away to capture the IP frames in a pcap format but the capture only sends wlan packets to an IP running wireshark. :\
Otherwise ill have to setup a SPAN port and do it the old fashined way on the LAN side.
02-25-2015 06:16 PM
To capture to another network client:
packet-capture destination ip-address <capture-client-IP> packet-capture datapath wifi-client <client-mac-address> decrypted
In Wireshark, go to Preferences > Protocols > Aruba_ERM and set the port to 5555
Filter the packets with:
ip.src== <controller-ip> && dns
To capture to flash memory on controller:
packet-capture destination local-filesystem packet-capture datapath wifi-client <client-mac-address> decrypted
To stop packet capture and tar pcap file:
no packet-capture datapath wifi-client <client-mac-address> decrypted
packet-capture copy-to-flash datapath-pcap
You can then copy the tarball off of the controller via SCP or TFTP and take a look at the capture
02-25-2015 06:49 PM
Thank you very much.
The DNS did a look up of a CNAME r1.sn-552u-ntqe.gvt1.com which resolved to 220.127.116.11
I added *.gvt1.com to the other two names you supplied and i can now download from the play store :)
Our PaloAlto FW shows the 1.6meg download comes from that IP 18.104.22.168.
I will remember this for next time it breaks :P and i have to go through the process again.
Thank's for your support.
02-25-2015 06:51 PM