I was wondering what others were doing for Chromebooks?
We implemented our installation before Onboarding could really handle Chromebooks and we are a large school district that has over 6000 Chromebooks, as well as at least 4000 other devices (iPad, Win7, Macs). We have had no problem with all of those devices but the Chromebooks are killing us. We utilize Clearpass and currently, we are taking a "calculated risk" by only checking that the device type contains 'chrome' and then check for valid AD credentials through PEAP. I know that this risks us from students bringing in their own Chroembooks from home and using a valid user/password to gain access to the campus network but the bigger problem right now is one I've been working on for months with Aruba TAC (and honestly havent gotten very far with them on it).
A small percent (~5%) of our Chromebooks daily will not connect for some time and then randomly decide to connect. I have discovered that at least a large portion of these are because Clearpass (or the controller) is not receiving (or calculating) the device type. We are pushing a 'chromebook' user user name and password through the Google Admin Console to all of the chromebooks that we are adminstrating so I know the credentials are correct. In fact, if I do a search in the Clearpass Access Tracker for user='chromebook' and service!=<my chromebook service policy> I can find all of the devices not connecting at different parts of the day. This is because the device type is not coming in so Clearpass is slotting the device in my standard wifi service that checks for certificates. These chromebooks are obviously denied by this policy. I'm not sure if the Chromebook is not sending something at times where the controller is unable to identify the device type or if there is a bug or some issue with the Aruba gear.
Finally to my point!: What are best practices for getting Chromebooks on the network with Aruba/Clearpass? I had two thoughts offhand with some questions that may be able to be answered here, as long as soliciting your responses on how you guys and gals handle Chromebooks:
1. Allow users to onboard the Chromebooks and then I will have a correlation from the device to the user that onboarded it (through their user name) for future troubleshooting. The bad part here is we currently only allow our technicians to onboard and we limit this by only allowing one user name in the district to be able to onboard devices. I don't want to open it up so that a student can go through the onboard process and be able to onboard their own personal cell phone, as well. Is there a whitelist of sorts where I might be able to have a list of our Chrombook mac addresses and only have them be onboarded? Or maybe limit onboarding to one device per user and then try and keep track of the students that onboard their phones and revoke those certs and explain that they have only one onboard request and it must be for their Chromebook? Sounds like a management nightmare either way but it the nature of the beast. Also we wipe out our Chromebooks fairly frequently when they have issues so that would be a headache for the student to onboard every time their device comes back from the repair center and has been powerwashed of all of its settings.
2. Use a 'generic' cert that we push from the Google Admin Console where all device share the cert and we check for that in Clearpass. This would help to keep student's personal devices off of the network but it would mean a student could get that cert )potentially) and put it on their phones since it would not be unique to a device.
Any help on any of this is greatly appreciated. Any other succestions are welcomed! I'm really struggling with Chromebooks right now.
Thanks!
McFly