02-26-2016 05:14 AM
hi everyone,
we have many questions from the Customers how to configure ACLs on the WLC for Android clients to get access to the Play Market during BYOD onboarding (in order to download Network setup assistant).
Unfortunately we don't have any document that specifies what should be configured. The Customers are complaining that IP addresses of Google services are changed very often, so they need to re-configure them all the time.
we tried to add the following URLs to the Redirect ACL but still it didn't work for us:
accounts.google.com
googleapis.com
play.google.com
android.pool.ntp.org
market.android.com
support.google.com
ggpht.com
mtalk.google.com
android.clients.google.com
android.l.google.com
Do we have any official recommendations regarding it that we can share with the Customers?
Solved! Go to Solution.
02-26-2016 06:02 AM
Did you see this site? It has an entry for it
https://communities.cisco.com/docs/DOC-64033?mobileredirect=true
Also are you using a supported version of the WLC? There have been issues with dns based acls on certain releases best to check with authors
https://supportforums.cisco.com/document/12481821/tac-recommended-aireos
02-26-2016 06:02 AM
Did you see this site? It has an entry for it
https://communities.cisco.com/docs/DOC-64033?mobileredirect=true
Also are you using a supported version of the WLC? There have been issues with dns based acls on certain releases best to check with authors
https://supportforums.cisco.com/document/12481821/tac-recommended-aireos
02-26-2016 06:36 AM
Jason, thank you!
So we need to add both URLs and IP addresses to the ACL? Also i have doubts regarding IP addresses for different regions. Will they be the same?
About URL with asterisk (*.google.com) - based on our experience, the asterisk as added automatically even if it's not visible in GUI, please refer to the screenshots:
Regarding WLC versions - we even tested special BU release of 8.0.120.x where CSCuv82513 was resolved. We'll try to modify the URLs once again and test. I'm not only sure about the IP addresses, as I mentioned above...
02-26-2016 09:52 AM
From what I understand is you allow the names you want to open (you don’t also need to duplicate with Ips). So as long as you get the names correct then it should work fine. Also need to make sure you are using supported AP for the DNS based ACL feature.
02-26-2016 01:02 PM
I would suggest to check with Cisco wireless platform teams, as DNS-based ACL might not have been supported in certain wireless deployment scenarios.
03-02-2016 06:17 AM
Dear all,
Thank you for your responses. We did an additional test from the rooted android device. We see the DNS requests to the following URLs:
Safebrowsing.googleapis.com
Play.googleapis.com
googleapis.l.google.com
android.clients.google.com
beacons.gvt2.com
beacons2.gvt2.com
beacons3.gvt2.com
beacons4.gvt2.com
accounts.google.com
clients2.google.com
clients.l.google.com
play.google.com
ww3.l.google.com
apis.google.com
gstaticadsl.l.google.com
oauth.googleusercontent.com
googlehosted.googleusercontent.com
ssl.gstatic.com
we will try to re-configure ACL once again and if it doesn't work then we'll contact wireless team once again. Thank you!
03-02-2016 06:32 AM
Keep in mind the AP only supports so many named based ACLs, not all of these might be needed
An alternative is to have a peap ssid where user is allowed Internet to download the app and when they try to access internal resources they are redirected to on boarding portal
Or user grabs app from another network
07-07-2016 09:08 PM
Hi, did you get the ACL sorted in the end ?
Or is [1] the best guess ?
[1] BYOD What sites do I need to open to support Android Playstore Google?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide