Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Handling Chromebooks

This thread has been viewed 28 times

  • 1.  Handling Chromebooks

    Posted Mar 21, 2016 06:53 AM

    I was wondering what others were doing for Chromebooks?

     

    We implemented our installation before Onboarding could really handle Chromebooks and we are a large school district that has over 6000 Chromebooks, as well as at least 4000 other devices (iPad, Win7, Macs).  We have had no problem with all of those devices but the Chromebooks are killing us.  We utilize Clearpass and currently, we are taking a "calculated risk" by only checking that the device type contains 'chrome' and then check for valid AD credentials through PEAP.  I know that this risks us from students bringing in their own Chroembooks from home and using a valid user/password to gain access to the campus network but the bigger problem right now is one I've been working on for months with Aruba TAC (and honestly havent gotten very far with them on it).

     

    A small percent (~5%) of our Chromebooks daily will not connect for some time and then randomly decide to connect.  I have discovered that at least a large portion of these are because Clearpass (or the controller) is not receiving (or calculating) the device type.  We are pushing a 'chromebook' user user name and password through the Google Admin Console to all of the chromebooks that we are adminstrating so I know the credentials are correct.  In fact, if I do a search in the Clearpass Access Tracker for user='chromebook' and service!=<my chromebook service policy> I can find all of the devices not connecting at different parts of the day.  This is because the device type is not coming in so Clearpass is slotting the device in my standard wifi service that checks for certificates. These chromebooks are obviously denied by this policy.  I'm not sure if the Chromebook is not sending something at times where the controller is unable to identify the device type or if there is a bug or some issue with the Aruba gear.

     

    Finally to my point!:  What are best practices for getting Chromebooks on the network with Aruba/Clearpass?  I had two thoughts offhand with some questions that may be able to be answered here, as long as soliciting your responses on how you guys and gals handle Chromebooks:

     

    1. Allow users to onboard the Chromebooks and then I will have a correlation from the device to the user that onboarded it (through their user name) for future troubleshooting.  The bad part here is we currently only allow our technicians to onboard and we limit this by only allowing one user name in the district to be able to onboard devices.  I don't want to open it up so that a student can go through the onboard process and be able to onboard their own personal cell phone, as well.  Is there a whitelist of sorts where I might be able to have a list of our Chrombook mac addresses and only have them be onboarded?  Or maybe limit onboarding to one device per user and then try and keep track of the students that onboard their phones and revoke those certs and explain that they have only one onboard request and it must be for their Chromebook?  Sounds like a management nightmare either way but it the nature of the beast.  Also we wipe out our Chromebooks fairly frequently when they have issues so that would be a headache for the student to onboard every time their device comes back from the repair center and has been powerwashed of all of its settings.

     

    2. Use a 'generic' cert that we push from the Google Admin Console where all device share the cert and we check for that in Clearpass.  This would help to keep student's personal devices off of the network but it would mean a student could get that cert )potentially) and put it on their phones since it would not be unique to a device.

     

    Any help on any of this is greatly appreciated.  Any other succestions are welcomed!  I'm really struggling with Chromebooks right now.

     

    Thanks!

    McFly



  • 2.  RE: Handling Chromebooks

    Posted Mar 21, 2016 07:15 AM

    In order for ClearPass to get the profile information the device needs to be able get an IP address first but because 802.1x is layer 2 authentication the device gets an IP address after it successfully has authenticated.

     

    If you include the "profile endpoints" as part of the authentication process and if the device profile is unknown the place it in a transition VLAN just allow the device to get an IP address and ClearPass can get the profile information

     
    If you are running 6.5 you could use your google console as a context server
    http://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.5.3/Content/PriorNew/OldNew_MDM.htm

    This will give you the option to onboard based on whether the chromebooks is part of manage devices in Google admin console .

    Sent from Outlook for iPhone



  • 3.  RE: Handling Chromebooks

    Posted Mar 21, 2016 01:48 PM

    Thanks for the reply!

     

    Could you elaborate on this or do you know if there is more documentation on the options?  Does this onboard the device or just allow us to authenticate devices that are in the Google Admin Console?

     

    I have found that Aruba is lacking in documentation and specifically in examples on how to get things set up and what the possabilities are.  I see a lot of features but there aren't many clear guides or usage examples to show what you could use a feature for...

     

    Judging by these two lines below, I understand this is a service option to authenticate based on something like

    'is this device in the admin console' or similar.

     

    Thanks again for your reply!

     

    When all configuration is complete in the Google Developers Console and in CPPM, subsequent MDM polling cycles will fetch the MDM data for the Google Chrome Devices and add that to the endpoints, profiling data to use with functionality of ClearPass Policy Manager, such as in creating and configuring policies and services. The details of the devices fetched can be seen from several places in the UI.
    @Victor Fabian wrote:
    If you are running 6.5 you could use your google console as a context server
    http://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.5.3/Content/PriorNew/OldNew_MDM.htm

    This will give you the option to onboard based on whether the chromebooks is part of manage devices in Google admin console .

    In order for ClearPass to get the profile information the device needs to get an IP address and because 802.1x is layer 2 authentication the device gets an IP address after it successfully authenticates.

    You can use the option mentioned above using that as a condition or include the profile endpoints as part of the authentication process and if the device profile is unknown the place it in a transition VLAN just allow the device to get an IP address and ClearPass can get the profile information
    Sent from Outlook for iPhone

     

     



  • 4.  RE: Handling Chromebooks
    Best Answer

    Posted Mar 23, 2016 10:53 PM

    Could you elaborate on this or do you know if there is more documentation on the options?  

    Does this onboard the device or just allow us to authenticate devices that are in the Google Admin Console?

    This is just to use this a condition to allow your devices to be onboarded , gives more control of what devices can or can't onboard 

    Here you go:

    http://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.5.3/Content/PriorNew/OldNew_MDM.htm 

    Steps in the Google Developer Console:

     1.Make sure to enable Admin SDK API.
     2.Create a new Client ID and Client Secret (select Web Application as the Application Type).
     3.Create a Consent Screen with the desired logo and text (This screen is seen by the ClearPass administrator when authorizing ClearPass Policy Manager - more below).
     4.Add Redirect URIs. This is of the format https://<clearpass-server>/async_netd/mdm/oauth/google, where “clearpass-server” should be a fully qualified domain name (FQDN) and not an IP address. This server should be reachable by that FQDN by the device the administrator is using to access the ClearPass Admin UI over a Web browser.
     5.Configure the domain's security setting to allow API access.

    Steps in ClearPass Policy Manager:

     1.Go to Administration > External Servers > Endpoint Context Servers > Add. On the Server tab, select Google Admin Console in the Select Server Type drop-down list.
     2.Enter the valid Client ID and Client Secret that were configured in the Google Developer Console.
     3.Click Save to save the Client ID and Client Secret. This also enables the Authorize ClearPass button.
     4.Click Authorize ClearPass. The Google page for entering the username and password for the Google domain (account) opens in a new tab or window.
     5.Enter the credentials. A consent screen (the one that was set up in the Google Console steps) is displayed, where you will be given the choice to authorize ClearPass to communicate with the Google Admin Console to fetch the MDM data for the Google Chrome Devices registered with the domain.
     6.After the approval, the status of the operation is displayed — either that a “Refresh Token has been fetched and saved”, or an error message.
     7.You can return to the main ClearPass Admin UI window and make additional selections (such as enabling ClearPass to poll for MDM data) before you click Save to save the settings.

    When all configuration is complete in the Google Developers Console and in CPPM, subsequent MDM polling cycles will fetch the MDM data for the Google Chrome Devices and add that to the endpoints, profiling data to use with functionality of ClearPass Policy Manager, such as in creating and configuring policies and services. The details of the devices fetched can be seen from several places in the UI. The figures below show details of a Google Chrome Device whose MDM data was fetched by ClearPass from the Google Admin Console. This information is displayed when an endpoint row is clicked at Configuration > Identity > Endpoints. The list of devices (rows) on can be filtered by using the filter attribute Source > contains > Google Admin Console.



  • 5.  RE: Handling Chromebooks

    Posted Apr 06, 2016 07:41 PM

    I have a customer that we configured to poll the Google Admin Console as well. This seems to work well and we can make decisions on whether the chromebook is managed by the organization or personal. 



  • 6.  RE: Handling Chromebooks

    Posted Sep 27, 2017 09:47 AM

    I know this is an old post, but I am having difficulty in authorizing clearpass, the error message is:

     

    502 Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /async_netd/mdm/oauth/google.

     

    anyone can help me, what is the problem here?



  • 7.  RE: Handling Chromebooks

    Posted Apr 17, 2018 07:38 PM

    Don't you lose user identity with this method?

    I don't have access to set this up to see what attributes are returned. 

    Or, is the idea you user-auth with PEAP/EAP and just confirm the endpoint (via Mac address, I guess?) is managed?

    EDIT: After seeing the workflow, I realize my "OR" statement is correct. You key off of the Endpoint:Source (etc.). It definitely helped seeing what was imported etc.