Android BYOD ISE 2.2 ACL/URL Whitelist for Google Play

During the Android BYOD on-boarding process, the device needs to have pretty open access to the internet to be able to connect to the Google Play Store to download the app Cisco Network Setup Assistant, which is used to help the device send a certificate request to ISE and to configure the network settings on the device itself.

Since the beginning of ISE BYOD using certificates the list of things the Android device needs to communicate with during the process has changed from release to release. It has gone from needing a whitelist of IP-address ranges to a list of whitelisted URLs and now, I have noticed that a combination of both seems to work best. 

 In ISE 2.2, I have had success with the following settings on our WLC (AireOS 8.2.130.0)

Cisco WLC Redirect ACL Cisco ISE

Permit access to DNS and to your PSN-nodes (you could lock this down more if you want to) and then deny traffic to all your internal networks (for security reasons). I would like to point out that the default gateway of the network that the device is connected to during the BYOD process must be denied because Android devices will attempt to contact their default gateway to check for connectivity. 

A very generous Permit is at the end of the list, making sure the Android device can connect to whatever IP address the Google Play Store has "this time." After a lot of testing, I have simply concluded that it's much easier to do it this way than trying to nail down which IP ranges need to be allowed for the Google Play Store connection to work since they change from time to time.

The second part of the ACL is to permit certain URLs/domains. The documentation around this function has been very vague on Cisco's website and many documents go against each other. Even with the generous Permit Any at the bottom of the ACL above I couldn't get this working without adding the URL Whitelist too.

Something that isn't shown in the WLC GUI is that an asterisk (*.) is added in front of the URL entered into this list. You can use the CLI command show all detailed <ACL-name> to see the actual content.

Cisco WLC Redirect Cisco ISE URL List Google

Good luck!

CYBERSECURITY & NETWORKING BLOG