Security

Hello,

We Onboard mobile devices such as Android phones/tablets, Apple phones/tablets, etc.

For Android there is the prerequisite that the QuickConnect app be installed prior to actually starting the Onboard process.

Our Onboard setup uses an 'open' SSID which redirects to a captive portal. From this portal the user can select a link to start the Onboard process (We use this portal for a couple of other things as well). Once the Onboard process is completed they connect to a secure SSID.

If QuickConnect is not already installed on the device then it must be installed. On Android phones this probably won't be a problem because they can just disconnect and use their phones data plan to download the app. For tablets though this could be a problem. When connected to the 'open' SSID there is no Internet connection due to the user role. So using this SSID to download the app isn't possible because when you try and go to the Play store to get the app you get the error "No Connection".

I was just wondering what are the possibilities to get around this? Without opening up the Internet completely. The initial role is restricted to pretty much our Captive Portal and that is it. We would like to keep it that way if at all possible. But we do need to provide an easy way to install the QuickConnect app if it is not already installed.

Any suggestions would be greatly appreciated.

Thank you

If your controller is setup to do DNS lookups, you can simply allow web traffic to android.clients.google.com in your captive portal role.

We also allow access to googleapis.com and google-analytics.com due to the use of Google Fonts and other scripts on our captive portal and Single Sign On pages.

Sorry I hadn't refreshed the page before I posted this. I will see if I can find those settings.

Thank you!

------------------------------------------------

Hey cappalli,

Sorry for asking this as I think I should know this already...but

How do you set the controller up to do DNS lookups? Where would I go either from the command line or GUI to setup/check this configuration.

I am going through the ArubaOS doc now but most of the DNS stuff is related to the provisioning of the AP's

Thank you for the response!

Cheers

Simply issue ip domain lookup the cli.

Just did my first test and it worked like a champ!

@cappalli thank you for your assistance!

----------------------------------------------------

Wow this is great!

Thank you @cappalli for your assistance.

I will begin my testing!

Cheers

Could this same technique be used to deal with the Apple's 'success.html' behavior? It disconnects the Apple device from a wireless connection that has a Captive Portal due to the fact that it cannot access the 'success.html' hosted on Apple's website.

Currently we get around this by 'spoofing' Apple.com in our DNS.

Interesting.

I guess the only potential downside is that the users could browser to say 'play.google.com' because it is allowed.

But that is about it, they won't really be able to do anything else.

I would assume it would be the same with Apple.com.

Users could browse there but the side would probably only half work.

I will have to test more.

Thank you!