Security

last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Android onboard issue

This thread has been viewed 5 times

  • 1.  Android onboard issue

    Posted Sep 25, 2013 12:06 PM
      |   view attached

    Hi All,

     

    I have an issue with Android on-board, where cant connect to google play store to download quick connect.

     

    I have a setup of IAPs (as virtual controllers) and CP onboard CPPM server, I am using 2 SSIDs for onboarding process.

     

    The first one is open to authorise if device is allowed to on-board by issuing AD credentials and second oen for EAP TLS authentication. As soon i connect to first open SSID it redirects me to download quick connect, however as soon I click to download quick client I get redirected to google play store which goes unsuccessful and start getting retry (to connect google play) option on adroid device. It appears as it has no internet connectivity to get to google play.

     

    I have checked IAP firewall rule and allowed unrestricted access for now and please see attached wall garden list as well to allow google play but no joy. I have checked with windows and apple devices and all working fine on same network.

     

    Any help would be much appreciated.



  • 2.  RE: Android onboard issue
    Best Answer

    EMPLOYEE
    Posted Sep 25, 2013 05:23 PM

    There is an issue in instant where the acl needs to be IP based instead of FQDN. There will be a fix in a up coming instant releases.

     

    Putting android.clients.google.com and *.ggpht.com in IAP's walled garden does not work. You need to figure out to which networks these resolve and put them into your ACL like below (last 6 entries):

     

    wlan access-rule pre-auth
     rule 192.168.1.215 255.255.255.255 match tcp 443 443 permit
     rule 192.168.1.215 255.255.255.255 match tcp 80 80 permit
     rule 192.168.1.209 255.255.255.255 match udp 53 53 permit
     rule 173.194.0.0 255.255.0.0 match tcp 80 80 permit
     rule 74.125.0.0 255.255.0.0 match tcp 80 80 permit
     rule 209.85.0.0 255.255.0.0 match tcp 80 80 permit
     rule 173.194.0.0 255.255.0.0 match tcp 443 443 permit
     rule 74.125.0.0 255.255.0.0 match tcp 443 443 permit
     rule 209.85.0.0 255.255.0.0 match tcp 443 443 permit



  • 3.  RE: Android onboard issue

    Posted Sep 26, 2013 05:00 AM

    Hi Troy,

     

    Many thanks for your help, i can confirm it is working now. However should i assume there are issues with IAP firewall section? As i can see that i didn't allowed any dhcp traffic in pre-auth rule but still i get an ip and being redirected to initial on-boarding page.

     

    Regards

    A Ali



  • 4.  RE: Android onboard issue

    Posted Sep 26, 2013 05:08 AM
      |   view attached

    Hi Troy,

     

    furthermore to my last post, am I right to understand while going through WLAN wizard as soon we configure to get IP as network assigned then we don't need to create any firewall rule? Does IAP automatically creates any hidden FW rule to allow dhcp traffic? Please see attachment.



  • 5.  RE: Android onboard issue

    Posted Sep 22, 2015 12:20 PM

    Hi Troy,

     

    There are a lot of posts around about this topic and I am wondering if Aruba is maintaining a qualified list that we can rely on? We are in all parts of the world so have a fear with a rollout that we will be gobbled up by all the Google datacentres. 

     

    Thanks

    Ken