Solved: Re: BYOD Android DNS-based ACL

anvolkov · ‎02-26-2016

hi everyone,

we have many questions from the Customers how to configure ACLs on the WLC for Android clients to get access to the Play Market during BYOD onboarding (in order to download Network setup assistant).

Unfortunately we don't have any document that specifies what should be configured. The Customers are complaining that IP addresses of Google services are changed very often, so they need to re-configure them all the time.

we tried to add the following URLs to the Redirect ACL but still it didn't work for us:

accounts.google.com

googleapis.com

play.google.com

android.pool.ntp.org

market.android.com

support.google.com

ggpht.com

mtalk.google.com

android.clients.google.com

android.l.google.com

Do we have any official recommendations regarding it that we can share with the Customers?

Jason Kunst · ‎02-26-2016

Did you see this site? It has an entry for it

https://communities.cisco.com/docs/DOC-64033?mobileredirect=true

Also are you using a supported version of the WLC? There have been issues with dns based acls on certain releases best to check with authors

https://supportforums.cisco.com/document/12481821/tac-recommended-aireos

View solution in original post

Jason Kunst · ‎02-26-2016

Did you see this site? It has an entry for it

https://communities.cisco.com/docs/DOC-64033?mobileredirect=true

Also are you using a supported version of the WLC? There have been issues with dns based acls on certain releases best to check with authors

https://supportforums.cisco.com/document/12481821/tac-recommended-aireos

anvolkov · ‎02-26-2016

Jason, thank you!

So we need to add both URLs and IP addresses to the ACL? Also i have doubts regarding IP addresses for different regions. Will they be the same?

About URL with asterisk (*.google.com) - based on our experience, the asterisk as added automatically even if it's not visible in GUI, please refer to the screenshots:

Regarding WLC versions - we even tested special BU release of 8.0.120.x where CSCuv82513 was resolved. We'll try to modify the URLs once again and test. I'm not only sure about the IP addresses, as I mentioned above...

Jason Kunst · ‎02-26-2016

From what I understand is you allow the names you want to open (you don’t also need to duplicate with Ips). So as long as you get the names correct then it should work fine. Also need to make sure you are using supported AP for the DNS based ACL feature.

hslai · ‎02-26-2016

I would suggest to check with Cisco wireless platform teams, as DNS-based ACL might not have been supported in certain wireless deployment scenarios.

anvolkov · ‎03-02-2016

Dear all,

Thank you for your responses. We did an additional test from the rooted android device. We see the DNS requests to the following URLs:

Safebrowsing.googleapis.com

Play.googleapis.com

googleapis.l.google.com

android.clients.google.com

beacons.gvt2.com

beacons2.gvt2.com

beacons3.gvt2.com

beacons4.gvt2.com

accounts.google.com

clients2.google.com

clients.l.google.com

play.google.com

ww3.l.google.com

apis.google.com

gstaticadsl.l.google.com

oauth.googleusercontent.com

googlehosted.googleusercontent.com

ssl.gstatic.com

we will try to re-configure ACL once again and if it doesn't work then we'll contact wireless team once again. Thank you!

Jason Kunst · ‎03-02-2016

Keep in mind the AP only supports so many named based ACLs, not all of these might be needed

An alternative is to have a peap ssid where user is allowed Internet to download the app and when they try to access internal resources they are redirected to on boarding portal

Or user grabs app from another network

stephane.delort1 · ‎07-07-2016

Hi, did you get the ACL sorted in the end ?

Or is [1] the best guess ?

[1] BYOD What sites do I need to open to support Android Playstore Google?