Security

Hi All,

 

Ive been trying to get onboarding working for Android, i have been searchign through this forum and have aggregated about 20 netdestinations for names and IP ranges but I can get to the play store but cannot download quick connect.

 

(If i put an allowall policy in the role to test i can download fine)

 

Is there / does any one have an updated list of names and IP ranges that need to permitted to get google play store to work?    IOS works like a dream but android is a PITA!

 

Giving google is pushing into the business market, why do they keep changing IP ranges and names and screw over BYOD solutions :\

 

Thanks for any help.

 

Ledge

 

Here's what I use and it works without issue:

 

netdestination GOOGLE-PLAY
  name *.l.googleusercontent.com
  name android.clients.google.com
!

 

 

aaa authentication captive-portal "EMPLOYEE-BYOD-ENROLL"
   redirect-pause 0
   no logout-popup-window
   login-page "https://URL/onboard/landing.php/ip-employee-byod_provisioning.php"
   no enable-welcome-page
   white-list "CLEARPASS-PROD"
   white-list "ENTRUST-OCSP"
   white-list "GOOGLE-PLAY"
!

 

Hi Tim,

 

Thanks for your reply,  unfortunantly my netdestination already included those two names.

 

I did even create a new net destination and add only those two exactly the same as yours and put it in the whitelist (removed the old ) with no success.

 

I even tried an older android device as mine is running the latest version to make sure it was a version thing with no success.

 

Possibly in Australia, we get redirected to diffirent URL's :( as it sure doesnt work.

 

In fact i did put an allow all and montiroed it through our firewall and i could see it actually downloads the quickconnect cleint all 1.6meg from googlevideo.com :\  which i also have in my 20 odd netdestiantion with no success.

 

Very fustrating. :\  but thanks for your reply.

Can you do a packet-capture with the allow all and go through the process? You can then filter by DNS.

Yea that makes sense.

 

IS there an easy way to do it on the controller? When i tried to packet capure my client the other day it jsut sends a heap of wlan frames to my wireshark client :\  Was really unuseful.

 

I thought there must be away to capture the IP frames in a pcap format but the capture only sends wlan packets to an IP running wireshark. :\

 

Otherwise ill have to setup a SPAN port and do it the old fashined way on the LAN side.

 

 

To capture to another network client:

 

packet-capture destination ip-address <capture-client-IP>
packet-capture datapath wifi-client <client-mac-address> decrypted

In Wireshark, go to Preferences > Protocols > Aruba_ERM and set the port to 5555

Filter the packets with:

ip.src== <controller-ip> && dns

 

To capture to flash memory on controller:

 

packet-capture destination local-filesystem
packet-capture datapath wifi-client <client-mac-address> decrypted

 To stop packet capture and tar pcap file:

 

no packet-capture datapath wifi-client <client-mac-address> decrypted
packet-capture copy-to-flash datapath-pcap

 You can then copy the tarball off of the controller via SCP or TFTP and take a look at the capture

Hi Tim,

 

Thank you very much.

 

The DNS did a look up of a CNAME r1.sn-552u-ntqe.gvt1.com  which resolved to 210.8.185.140

 

I added *.gvt1.com to the other two names you supplied and i can now download from the play store :)

 

Our PaloAlto FW shows the 1.6meg download comes from that IP 210.8.185.140.

 

I will remember this for next time it breaks :P and i have to go through the process again.

 

Thank's for your support.

 

 

Interesting! That domain is definitely run by Google. Thanks for sharing the
results!

Dear Ledge and @cappalli,

did you allow *.amazonaws.com and *.viber.com for this setup ?

------------------------------
BR,

Hudaya
------------------------------

Original Message:
Sent: Feb 25, 2015 09:49 PM
From: Michael Lidgett
Subject: Clearpass Onboard - Android - Google Play Download QuickConnect

Hi Tim,

 

Thank you very much.

 

The DNS did a look up of a CNAME r1.sn-552u-ntqe.gvt1.com  which resolved to 210.8.185.140

 

I added *.gvt1.com to the other two names you supplied and i can now download from the play store :)

 

Our PaloAlto FW shows the 1.6meg download comes from that IP 210.8.185.140.

 

I will remember this for next time it breaks :P and i have to go through the process again.

 

Thank's for your support.

 

 

Hi Cappalli,

 

where can i configure that via GUI?

I am new on Aruba and not routined with that GUI

 

thx

Markus

Configuration > Firewall > Destinations.


Thanks,
Tim

Hi Tim,

thanks for that fast reply.

I did the firewall destinations. And now?

Went to Security -> Authentication -> AAA Profiles -> <myGuest-Profile> -> ?????

Authentication > L3 Authentication > Captive Portal Authenticatoin > <captive-portal-name>

 

Scroll down to Whitelist and add the netdest from the drop down.

It works :D

Many Thanks!!!!!!!!