The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Daniel Ehlers <ehlers AT rz.uni-kiel.de>]

On 10/17/19 12:14 PM, Thomas Andersen wrote:
> Hi,
> 
> Just a few thoughts:
> 
> Personally I find it difficult and unstable to maintain and rely on a list 
> like that.
> Chances are, that google will reorganize and your onboarding will break.
Chances are, that google will keep all the domains for all the devices 
already in the field,
otherwise they would break the play store access for all the old devices. But 
yes for every
new android version that is indeed true and partially the reason for my 
question.

> We already have a guest network, where people register and we send a txt 
> message back with username/password for the guest network.
> From there they have full internet access but very limited internal access, 
> hence they are forced to make an 802.1x connection.
> 
> As a side note, we have whitelisted cat.eduroam.org in our CWP, so they can 
> download for computers and iOS without registration, since only the android 
> are depending on play store.
The list below is only the part for the android play store.
> Br,
> Thomas
> 
> -----Original Message-----
> From: cat-users-request AT lists.geant.org <cat-users-request AT lists.geant.org> 
> On Behalf Of Daniel Ehlers
> Sent: 17. oktober 2019 11:09
> To: cat-users AT lists.geant.org
> Subject: Re: [[cat-users]] google playstore whitelist for captive portal
> 
> Hi,
> 
>> I recommend my users to download it via their mobile providers.
> That is possible for some, but many of our students, especially those on 
> erasmus exchange,
> don't have access to local mobile providers. We also use the setup wifi to 
> guide the users
> to the matching installation guide, currently differentiates between 
> android and apple devices.
> 
>> I found this list for Aruba Wireless, maybe it's already enough:
>> https://github.com/aruba/clearpass-cloud-service-whitelists/blob/master/onboard/onboard_android.md
> That is a very unrestricted, especially "www.google.com" is a no go. The 
> connectivitycheck subdomains
> are those you need to redirect (302), so the captive portal catch mechanism 
> works reliable.
> 
> Maybe I paste what we have so far, all the domains have an implicit 
> wildcard on the left:
> 
> android.l.google.com
> android.clients.google.com
> play.google.com
> ggpht.com
> clients1.google.com
> clients2.google.com
> clients3.google.com
> clients4.google.com
> clients5.google.com
> clients6.google.com
> photos-ugc.l.google.com
> googleusercontent.com
> ajax.googleapis.com
> play-fe.googleapis.com
> play.google-apis.com
> play.googleapis.com
> googleapis.l.google.com
> apis.google.com
> gstatic.com
> wallet.google.com
> checkout.google.com
> gvt1.com
> gvt2.com
> 
> regards Daniel
> 
>> -----Original Message-----
>> From: cat-users-request AT lists.geant.org 
>> <cat-users-request AT lists.geant.org> On Behalf Of Daniel Ehlers
>> Sent: Wednesday, October 16, 2019 3:57 PM
>> To: 'cat-users AT lists.geant.org' <cat-users AT lists.geant.org>
>> Subject: [[cat-users]] google playstore whitelist for captive portal
>>
>> Hi,
>>
>> we are running a captive portal / setup wifi network for device boarding, 
>> as suggested in the about section of [1].
>> Sadly the given recommended list for google play is far from complete and 
>> thus we have extended that list over
>> time. Does anyone know of any complete/official list of hostnames forr a 
>> whitelist for accessing google play?
>>
>> regards
>>
>> Daniel Ehlers
>>
>> [1] https://cat.eduroam.org/
>>
> 

-- 
Daniel Ehlers
Christian-Albrechts-Universität zu Kiel
Rechenzentrum
Abteilung Netze und Infrastruktur
Ludewig-Meyn-Str. 4
D-24118 Kiel
Tel:   +49 (0)431 880-1982
Fax:  +49 (0)431 880-1523
ehlers AT rz.uni-kiel.de
www.uni-kiel.de

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature