I'm trying to setup a pre-auth role for a captive portal that will launch the captive portal but will still allow access to the google playstore. I have not had much luck with this. I know I need to block access to connectivitycheck.gstatic.com but I have not been able to do this successfully.
I have a netdestination with URLs and subnets as well as a netdestination with *.gstatic.com. They are both added to associated access lists and added to the pre-auth role. I have the gstatic deny before the google playstore permit but no dice. I can't just remove 172.217/16 because that breaks the access to the playstore.
show netdestination google-playstore
Name: google-playstore
Destination ID: 39
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 name 0.0.0.9 android.clients.google.com
2 name 0.0.0.10 *.ggpht.com
3 name 0.0.0.11 *.gvt1.com
4 name 0.0.0.12 play.google.com
5 name 0.0.0.13 *.l.googleusercontent.com
6 network 64.18.0.0 255.255.240.0
7 network 66.102.0.0 255.255.240.0
8 network 64.233.160.0 255.255.224.0
9 network 66.249.80.0 255.255.240.0
10 network 72.14.192.0 255.255.192.0
11 network 74.125.0.0 255.255.0.0
12 network 108.177.0.0 255.255.128.0
13 network 173.194.0.0 255.255.0.0
14 network 207.126.144.0 255.255.240.0
15 network 209.85.128.0 255.255.128.0
16 network 216.58.192.0 255.255.224.0
17 network 216.239.32.0 255.255.224.0
18 network 172.217.0.0 255.255.0.0
Any idea how I can get this to work?
I've run into so many problems with the captive portal lately along with trying to redirect. Not to mention I can't get safari to work at ALL when I use a CNA bypass. It's a nightmare.