Security

Reply
Highlighted
MVP

Android Onboard in IAP Environment

Hi,

 

We are in the process of switching over to an IAP environment (going to miss my controllers!) and ran into some questions about the Android Onboard process.

 

  • Is it possible to bypass the Android Captive Portal Assistant? I found this post in which @cappalli suggested allowing two URLs on the Captive Portal whitelist. Does the IAP have a Captive Portal whitelist equivallent ? I tried allowing HTTP to the two URLs but the assistant still pops up.
  • This sort of ties into the first question, what would be the correct way to allow access to the Play Store so the users can download the QuickConnect app? Another post by @cappalli has the URLs that need to be whitelisted, but I am not sure if I could just create allow rules for each URL in the pre-auth role, or if there is an alternative whitelist method on the IAP like in a controller environment.

Thank you,

 

Cheers

Guru Elite

Re: Android Onboard in IAP Environment

https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: Android Onboard in IAP Environment


@cappalli wrote:
https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md

Thank you sir.

 

I have a quick question regarding the IAP configuration. I can't seem to find any reference to "rule alias".

Would I just edit my pre-auth role and put:

rule android.clients.google.com match tcp 443 443 permit
rule googleapis.com match tcp 443 443 permit
rule gvt1.com match tcp 443 443 permit
rule ggpht.com match tcp 443 443 permit
rule googleusercontent.com match tcp 443 443 permit
rule gstatic.com match tcp 443 443 permit
rule clients.l.google.com match tcp 443 443 permit
rule accounts.google.com match tcp 443 443 permit
rule accounts.youtube.com match tcp 443 443 permit
rule connectivitycheck.android.com match tcp 80 80 permit
rule connectivitycheck.android.com match tcp 443 443 permit
rule connectivitycheck.gstatic.com match tcp 80 80 permit
rule connectivitycheck.gstatic.com match tcp 443 443 permit
rule www.google.com match tcp 443 443 permit
rule www.google.com match tcp 80 80 permit
MVP

Re: Android Onboard in IAP Environment

Nevermind.

I just realized when you enter this via the GUI and device a domain name, it translates to "rule alias" in the actual configure.

Guru Elite

Re: Android Onboard in IAP Environment

Yes, exactly.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: Android Onboard in IAP Environment


@cappalli wrote:
Yes, exactly.

Thank you Tim!

Worked like a charm.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: