cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4294
Views
0
Helpful
4
Replies

ISE Provisioning - Google Play Ports Changed?

zztopping
Level 4
Level 4

Tested on Nexus 7 - Stock 4.2 and Galaxy Nexus running 4.1. Same result.

Following TrustSec 2.1 Guides for ACL.

When attempting to download and install the "Cisco Network Setup Assistant" from Google Play as part of ISE provisioning, getting errors when trying to download while in "CENTRAL_WEB_AUTH" status on the WLC.

TrustSec documents that tcp-udp/5228 need to be allowed on your WLC CWA ACL...but It looks like the ports used for Google Play have changed to tcp/80 and tcp/443 when I look at Firewall logs without any CWA in place...has anyone else hit this? It cant be best practice to open 80 and 443 to two 16 bit networks....

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

You may want to consider filtering the traffic to find which ip address resolves the google play store, then use your internal dns server to provide that ip address so you can tighten up your ACLs. You may want to test this to see if it doesnt break an other google requests since you will have to add that zone. This is assuming that the url never changes for the google play store.

Thanks,

Tarik Admani
*Please rate helpful posts*

I am presently doing a project for BYOD ISE and MDM integration. At certain stage BYOD should be restricted to access only Google play store and App store. I am having WISM ver 7.6 amd configured DNS ACL according to below Cisco doc. I found wild card mask is not accepting. With out wildcard mask, it is not possible as ACL is accepting maximum 10 lines. I tried IP ACL allowing certain recommended blocks but that also not working. Google may changed IP range recently. Please help if any one has done this recently.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/Wireless_BYOD_with_ISE/wireless_BYOD_with_ISE.html#pgfId-45618

 

Hi,

This is not a specific as I would like but it does seem to work.

Regards Brett

Couple things here.

 

1) I highly recommend doing two Redirect ACLs, one for Androids only and one for "Everyone Else". The Androids rule will be much more open after they start NSP flow (and only then), while keeping your other CWA (guests and such) very secure. Order wise, if you create you Authz rules to have the Androids CWA rule be Session:Device OS=Android and then below that the CWA catch-all for "Everyone Else", they will start at the Catch-all CWA then CoA will change them at NSP flow start to the more permissive rule for Google Play Access.

2) My Android ACL has both DNS entries and IP Entries, here are the DNS ACLs Ive put in my working configuration:

 

3) My IPs in my ACL were also needed because my local ISP's address space were being returned by DNS lookups (and the DNS ACLs dont reveal everything). I imagine this is a google partnership for CDN-like delivery of google services. So...start with the well known google /16s then add any subnets you see returned from lookups to play.google.com (reference the prefix size from an ARIN or other RIR lookup)

In my case:

74.125/16

173.194/16

206.111/16

x.x.x.x/19 <----my ISP's IP range as seen in DNS queries and prefix from ARIN

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: