topic ISE BYOD ANDROID ACL FOR GOOGLE PLAY in Network Access Control

ISE BYOD ANDROID ACL FOR GOOGLE PLAY

Simon Parlsjo — Mon, 11 Mar 2019 07:10:50 GMT

Hi,

Is there anyone out there who has an ACL (DNS and IP) that works for google play access during the BYOD flow for Android.

I am located in Europe and there doesn’t seem to be any example that works.

Hello Simon-

nspasov — Tue, 25 Oct 2016 17:24:35 GMT

Hello Simon-

What does your ACL look like?

There are a couple of easy ways you can do this:

1. If you are running version 7.6 and later then you can use DNS based ACL entries. That way a single entry can permit the google play store

2. If #1 is not an option then you can make the provisioning ACL for google play less restrictive. For instance, my regular provisioning ACL is pretty locked down, but the one for Android blocks all of my internal networks (except ISE servers and DNS) and then permits all Internet access.

I hope this helps!

Thank you for rating helpful posts!

HI,

Simon Parlsjo — Wed, 26 Oct 2016 06:38:16 GMT

HI,

I have tried with a lot of diffrent URLs and IP ranges. Currently i'm trying with the following:

DNS

Android.clients.google.*.*
Www.googleapis.*.*
Play.google.*.*
Ggpht.com.*.*
Android.pool.ntp.*.*
Market.android.*.*
Mtalk.google.*.*
*.android.clients.google.*.*
*.*.android.clients.google.*.*
*.gstatic.*.* (for bypassing internet check on Android - Disables mini-browser pop-up)

74.125.0.0/16
173.194.0.0/16
173.227.0.0/16
206.111.0.0/16
203.42.0.x/16
8.35.0.0/16

So what happens when you try

nspasov — Wed, 26 Oct 2016 16:21:41 GMT

So what happens when you try to run through the BYOD flow?

Thank you for rating helpful posts!

Also, be aware that not all

jan.nielsen — Wed, 26 Oct 2016 16:40:33 GMT

Also, be aware that not all AP's support DNS ACL's, and that before 8.2 it's my experience that DNS ACL's were a bit buggy. You might wan't to make sure DNS Snooping is actually being activated in the AP, and the WLC is recieving host/ip records from the AP's when you are doing the DNS lookup from your clients.

Hi

Simon Parlsjo — Thu, 27 Oct 2016 07:10:03 GMT

I accentliy marked this as answered. Is there a way to undo this?

With the ACL above I am not even able to access google play.

I also tried with the following and then I can go all the way to download. But when I tap the link to start the download it is stuck in Downloading state.

play.google.com

google.co

store.google.com

.googleapis.com

gstaic.com

accounts.youtube.com

dns.cisco.com

.appspot.com

ggpht.com

market.android.com

android.pool.ntp.org

google-analytics.com

.googleusercontext.com

Hi Simon, I have the same

fatalXerror — Wed, 18 Jan 2017 04:58:57 GMT

Hi Simon, I have the same issue we also tried to monitor the traffic in our firewall and put those IP addresses in the ACL or even put different DNS-based entries in the ACL.

Do you have now the fix for this? Thanks

Re: Hi

mumanika — Tue, 26 Mar 2019 15:03:05 GMT

Having the same issue as you SImon, it seems to be stuck at the downloading state and not progressing further. Did you happen to find a solution for this?