Thanks for that script! I found albert.apple.com is the DNS request the iPhone makes when trying to activate today. Resolves to one IP in Akamai's CDN network from our campus. Will give that a shot today.
--Britton BTW Hunter, nice sweep for your Chargers hockey team last weekend! ;) Britton Anderson <[email protected]> | Senior Network Communications Specialist | University of Alaska <http://www.alaska.edu/oit> | 907.450.8250 On Fri, Jan 9, 2015 at 12:42 PM, Hunter Fuller <[email protected]> wrote: > You can run this to get Google IP ranges. Thanks to Todd Swatling of > Vassar for this. > > dig +noall +answer TXT _netblocks.google.com _netblocks2.google.com > _netblocks3.google.com | cut -d'"' -f2 | tr ' ' '\n' | grep ^ip | sed > 's/ip[4-6]://g' > > > -- > Hunter Fuller > Network Engineer > VBRH M-9B > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > > I am part of the UAH Safe Zone LGBTQIA support network: > http://www.uah.edu/student-affairs/safe-zone > > > On Thu, Jan 8, 2015 at 7:41 PM, Britton Anderson <[email protected]> > wrote: > > These devices prompt for a wireless network during the activation > process, > > but won't let a webauth succeed. > > > > I like Hunter's idea of adding the Apple/Google/Antivirus sites to the > > pre-webauth ACL. Cisco WLC's won't let you use DNS names for ACL entries, > > d'oh! Is there a known list of these hosts somewhere before I go sniffing > > wireless traffic? > > > > Thanks, > > Britton > > > > > > > > Britton Anderson | Senior Network Communications Specialist | University > of > > Alaska | 907.450.8250 > > > > > > On Thu, Jan 8, 2015 at 4:24 PM, Mike King <[email protected]> wrote: > >> > >> Maybe I'm over simplifying this, but for the "average" user, don't those > >> devices have to be activated BEFORE you can see the settings screen? > >> > >> Mike > >> > >> On Thu, Jan 8, 2015 at 6:31 PM, Hunter Fuller <[email protected]> wrote: > >>> > >>> This is what we do. While not authenticated to wireless you can still > get > >>> to a few places - Microsoft, apple, Google search, antivirus vendors. > >>> > >>> -- > >>> Hunter Fuller > >>> OIT > >>> > >>> Sent from my phone. > >>> > >>> On Jan 8, 2015 5:11 PM, "Frank Sweetser" <[email protected]> wrote: > >>>> > >>>> We already have an unencrypted ssid for students to get to our > >>>> onboarding system (Cloudpath). Our plan for this summer is to poke > enough > >>>> firewall holes for students to also run through the device activation > >>>> process. If we were to try to impose any kind of device security > policies, > >>>> we would do it in the onboarding process. > >>>> > >>>> On January 8, 2015 5:54:01 PM EST, Britton Anderson > >>>> <[email protected]> wrote: > >>>>> > >>>>> I just wanted to ask the question to see what all of you are doing at > >>>>> your institutions to handle users activating new devices. New iOS > devices > >>>>> for example have to reach out to iCloud to validate themselves and > make sure > >>>>> they're not stolen. Android now with version 5 is very similar, > having to > >>>>> reach out to the mothership and join to a Google account. > >>>>> > >>>>> Are any of you doing an "SSID-Activate" WLAN, or requiring clients to > >>>>> bring it by your respective Help Desks for activation? > >>>>> > >>>>> Right now, we are requiring anyone that wants a device activated to > >>>>> have our Desktop techs touch it and give them pointers to secure it. > >>>>> However, we've lost some budget, and some employees, and they can't > keep a > >>>>> guy in the office to handle that influx of people anymore. And I > don't want > >>>>> the headache of a wide open WLAN everywhere, and none of the devices > will > >>>>> allow the webauth transaction to happen before the device ! is > activated. > >>>>> > >>>>> Thanks, > >>>>> --Britton > >>>>> > >>>>> > >>>>> Britton Anderson | Senior Network Communications Specialist | > >>>>> University of Alaska | 907.450.8250 > >>>>> > >>>>> ********** Participation and subscription information for this > EDUCAUSE > >>>>> Constituent Group discussion list can be found at > >>>>> http://www.educause.edu/groups/. > >>>> > >>>> > >>>> -- > >>>> Sent from my Android device with K-9 Mail. Please excuse my brevity. > >>>> ********** Participation and subscription information for this > EDUCAUSE > >>>> Constituent Group discussion list can be found at > >>>> http://www.educause.edu/groups/. > >>> > >>> ********** Participation and subscription information for this EDUCAUSE > >>> Constituent Group discussion list can be found at > >>> http://www.educause.edu/groups/. > >> > >> > >> ********** Participation and subscription information for this EDUCAUSE > >> Constituent Group discussion list can be found at > >> http://www.educause.edu/groups/. > > > > > > ********** Participation and subscription information for this EDUCAUSE > > Constituent Group discussion list can be found at > > http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
