How to permit Google play store access for captive portal guest users?

Aruba Employee
Aruba Employee

Introduction : There could be occasions when we need to permit Google play store access for guest users, A common example could be a hotel environment where unauthenticated users are allowed to access the hotel website and directed to Google play store to download their Apps.


Environment : This article applies to all controller models and AOS versions 6.1.3.x and higher.


Configuration Steps :


The Google Play app store ( is a cloud service, and the addresses it uses may change regularly. This presents a challenge to permit access to those ranges. The current solution is to permit these addresses that are known to be used by the Android Marketplace, as shown here:




The configuration is about creating an alias with the above URL’s and a firewall policy where you can permit traffic to the alias.

Step 1: Create an Alias

(Aruba3200XM) #configure t
(Aruba3200XM) (config) #netdestination Google-Play
(Aruba3200XM) (config-dest) #name
(Aruba3200XM) (config-dest) #name *
(Aruba3200XM) (config-dest) #name  

 Step 2: Create the session-based access list.

(Aruba3200XM) (config) #ip access-list session google-play
(Aruba3200XM) (config-sess-google-play)#user alias Google-Play any permit

Step 3: Assign the session-based access list to the guest captive portal pre-auth user role.

(Aruba3200XM) (config) #user-role guest-logon
(Aruba3200XM) (config-role) #session-acl google-play position 3



Verification :


(Aruba3200XM) #show netdestination

Name: Google-Play
Position  Type  IP addr   Mask-Len/Range
--------  ----  -------   --------------
1         name
2         name   *
3         name

(Aruba3200) #show rights guest-logon

Derived Role = 'guest-logon'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 6/0
 Max Sessions = 65535

 Captive Portal profile = default

access-list List
Position  Name              Type     Location
--------  ----              ----     --------
1         ra-guard          session
2         logon-control     session
3         google-play       session
4         captiveportal     session
5         v6-logon-control  session
6         captiveportal6    session


Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    Google-Play  any      permit                           Low                                                           4


Troubleshooting :


  • Make sure ip name-server, ip domain-name and ip domain lookup are configured on the controller.
  • Also you must have a PEFNG license to configure or view a destination.


Version history
Revision #:
1 of 1
Last update:
‎07-05-2014 06:01 PM
Updated by:
Labels (1)

Thanks so much getting these names listed out. I have been working on this very issue for a few weeks and was basing my firewall rules on IP's. It was not going well. Now access is working and testing can commence! 




Doesn't work for me.  Is this a current exhaustive list?

Here is my current working nestdest:


netdestination GOOGLE-PLAY
  name *
  name *
  name *

Thanks - working now.  I think it was the missing * rule that was preventing the app from actually downloading from the Play Store.

I can also confirm that the following works for me:


netdestination GOOGLE-PLAY
  name *
  name *
  name *

This does not work for me in India...Anyone can help?


I can access play store but when i click on download it's stuck there forever and never proceeds.

Search Airheads
Showing results for 
Search instead for 
Did you mean: