Security

Reply
MVP

Android Onboard in IAP Environment

Hi,

 

We are in the process of switching over to an IAP environment (going to miss my controllers!) and ran into some questions about the Android Onboard process.

 

  • Is it possible to bypass the Android Captive Portal Assistant? I found this post in which @cappalli suggested allowing two URLs on the Captive Portal whitelist. Does the IAP have a Captive Portal whitelist equivallent ? I tried allowing HTTP to the two URLs but the assistant still pops up.
  • This sort of ties into the first question, what would be the correct way to allow access to the Play Store so the users can download the QuickConnect app? Another post by @cappalli has the URLs that need to be whitelisted, but I am not sure if I could just create allow rules for each URL in the pre-auth role, or if there is an alternative whitelist method on the IAP like in a controller environment.

Thank you,

 

Cheers

Highlighted
Guru Elite

Re: Android Onboard in IAP Environment

https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: Android Onboard in IAP Environment


@cappalli wrote:
https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md

Thank you sir.

 

I have a quick question regarding the IAP configuration. I can't seem to find any reference to "rule alias".

Would I just edit my pre-auth role and put:

rule android.clients.google.com match tcp 443 443 permit
rule googleapis.com match tcp 443 443 permit
rule gvt1.com match tcp 443 443 permit
rule ggpht.com match tcp 443 443 permit
rule googleusercontent.com match tcp 443 443 permit
rule gstatic.com match tcp 443 443 permit
rule clients.l.google.com match tcp 443 443 permit
rule accounts.google.com match tcp 443 443 permit
rule accounts.youtube.com match tcp 443 443 permit
rule connectivitycheck.android.com match tcp 80 80 permit
rule connectivitycheck.android.com match tcp 443 443 permit
rule connectivitycheck.gstatic.com match tcp 80 80 permit
rule connectivitycheck.gstatic.com match tcp 443 443 permit
rule www.google.com match tcp 443 443 permit
rule www.google.com match tcp 80 80 permit
MVP

Re: Android Onboard in IAP Environment

Nevermind.

I just realized when you enter this via the GUI and device a domain name, it translates to "rule alias" in the actual configure.

Guru Elite

Re: Android Onboard in IAP Environment

Yes, exactly.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: Android Onboard in IAP Environment


@cappalli wrote:
Yes, exactly.

Thank you Tim!

Worked like a charm.

Occasional Contributor I

Re: Android Onboard in IAP Environment

I'm using the IAP version 8.5 with ClearPass onboarding using the guest SSID for provisioning. The users that need onboarding get the External CP role and cannot download QuickConnect from playstore. Where should I apply this rules, under the Guest SSID? The walled garden has disappeared from the GUI. I tried to enter the walled garden rules from CLI but no success. The Guest SSID has self registration with MAC caching enabled and doesn't allow web access prior to login. If the client has prior downloaded the apk the onboard process goes well.
What about the Samsung CNA is there a valid trick from IAP to bypass it?

Regards

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: