Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Android Onboard in IAP Environment

This thread has been viewed 11 times

  • 1.  Android Onboard in IAP Environment

    Posted Mar 16, 2019 03:58 PM

    Hi,

     

    We are in the process of switching over to an IAP environment (going to miss my controllers!) and ran into some questions about the Android Onboard process.

     

    • Is it possible to bypass the Android Captive Portal Assistant? I found this post in which @cappalli suggested allowing two URLs on the Captive Portal whitelist. Does the IAP have a Captive Portal whitelist equivallent ? I tried allowing HTTP to the two URLs but the assistant still pops up.
    • This sort of ties into the first question, what would be the correct way to allow access to the Play Store so the users can download the QuickConnect app? Another post by @cappalli has the URLs that need to be whitelisted, but I am not sure if I could just create allow rules for each URL in the pre-auth role, or if there is an alternative whitelist method on the IAP like in a controller environment.

    Thank you,

     

    Cheers



  • 2.  RE: Android Onboard in IAP Environment
    Best Answer

    EMPLOYEE


  • 3.  RE: Android Onboard in IAP Environment

    Posted Mar 16, 2019 04:12 PM
    @cappalli wrote:
    https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md

    Thank you sir.

     

    I have a quick question regarding the IAP configuration. I can't seem to find any reference to "rule alias".

    Would I just edit my pre-auth role and put:

    rule android.clients.google.com match tcp 443 443 permit
rule googleapis.com match tcp 443 443 permit
rule gvt1.com match tcp 443 443 permit
rule ggpht.com match tcp 443 443 permit
rule googleusercontent.com match tcp 443 443 permit
rule gstatic.com match tcp 443 443 permit
rule clients.l.google.com match tcp 443 443 permit
rule accounts.google.com match tcp 443 443 permit
rule accounts.youtube.com match tcp 443 443 permit
rule connectivitycheck.android.com match tcp 80 80 permit
rule connectivitycheck.android.com match tcp 443 443 permit
rule connectivitycheck.gstatic.com match tcp 80 80 permit
rule connectivitycheck.gstatic.com match tcp 443 443 permit
rule www.google.com match tcp 443 443 permit
rule www.google.com match tcp 80 80 permit


  • 4.  RE: Android Onboard in IAP Environment

    Posted Mar 16, 2019 04:20 PM

    Nevermind.

    I just realized when you enter this via the GUI and device a domain name, it translates to "rule alias" in the actual configure.



  • 5.  RE: Android Onboard in IAP Environment

    EMPLOYEE
    Posted Mar 16, 2019 04:28 PM
    Yes, exactly.


  • 6.  RE: Android Onboard in IAP Environment

    Posted Mar 16, 2019 05:32 PM
    @cappalli wrote:
    Yes, exactly.

    Thank you Tim!

    Worked like a charm.



  • 7.  RE: Android Onboard in IAP Environment

    Posted May 29, 2019 08:13 AM

    I'm using the IAP version 8.5 with ClearPass onboarding using the guest SSID for provisioning. The users that need onboarding get the External CP role and cannot download QuickConnect from playstore. Where should I apply this rules, under the Guest SSID? The walled garden has disappeared from the GUI. I tried to enter the walled garden rules from CLI but no success. The Guest SSID has self registration with MAC caching enabled and doesn't allow web access prior to login. If the client has prior downloaded the apk the onboard process goes well.
    What about the Samsung CNA is there a valid trick from IAP to bypass it?

    Regards