Higher Education

last person joined: yesterday 

Got questions on how to enable mobility in education? Submit them here!
Expand all | Collapse all

Support for Amazon Echo and other personal assistants

  • 1.  Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 10:49 AM

    Hi. We have a fairly restricted SSID for "IoT" type devices that uses MAC auth (via Clearpass reg) and WPA2 PSK. We do not have AirGroup enabled yet. We restrict 802.1x capable devices from connecting to this (we want them on eduroam). We explicitly allow specific device types (gaming consoles and video streaming devices) and basically deny everything else, including personal assistants.  We want to add suport for this latter group.

     

    I'm wondering if anyone allows Amazon Echo  only as an L3 connected device, no L2 communication (i.e. no AirGroup). In this setup is it useful as a device? Are users ok with this or do they (would they) demand L2 connectivity to their other devices? If you allow L2 (say, via AirGroup) what other devices can users connect? Everything? A Nest? A security cam? Just seems like a slippery slope...I don't own a personal assistant so don't really know what the limitations are if an Echo can't discover other devices.

     

    Thanks in advance,

    Mike



  • 2.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 01:13 PM

    Mike,

       As far as the Echo specifically it is tied to a user's Amazon account and only those they share it with through their Amazon account can use it so that is not so much of a problem. Google personal assistants are a little bit different in that any android device and most apple devices that have the google home app (use for chromecast, google home, other google IoT devices) can see any device.  The way to mitigate that is through user education.  Within the device settings for a google home or chromecast there is an option to disallow other devices from controlling the content.

     

    We allow personal assistants on our network but they are on a specific network only for "entertainment" devices.  It is designed to be separated by VLAN as our "entertainment" device network is open and then restricted within Clearpass Guest.  In our environment the entertainment devices are on a separate SSID and VLAN than any smartphones, tablets, or computers. Edit---smartphones are still able to cast video, sound, etc to these assistance devices.

     

    We do have airgroup installed and running on our network but it is mostly due to classrooms that have Apple TV installed in them.  Within clearpass guest on the setup page for registering the device you can choose what settings the user has access to change.  If you don;t give them access to certain fields they can't change them while you as an admin can then hardset those settings.  So you could remove their ability to enable airgroup and just set it as disabled even if on other SSIDs you do run airgroup.



  • 3.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 01:25 PM

    @Hephzibah11 wrote:

    Mike,

       As far as the Echo specifically it is tied to a user's Amazon account and only those they share it with through their Amazon account can use it so that is not so much of a problem. Google personal assistants are a little bit different in that any android device and most apple devices that have the google home app (use for chromecast, google home, other google IoT devices) can see any device.  The way to mitigate that is through user education.  Within the device settings for a google home or chromecast there is an option to disallow other devices from controlling the content.

     

    We allow personal assistants on our network but they are on a specific network only for "entertainment" devices.  It is designed to be separated by VLAN as our "entertainment" device network is open and then restricted within Clearpass Guest.  In our environment the entertainment devices are on a separate SSID and VLAN than any smartphones, tablets, or computers. Edit---smartphones are still able to cast video, sound, etc to these assistance devices.

    How are you allowing this? Via AirGroup?

     

    We do have airgroup installed and running on our network but it is mostly due to classrooms that have Apple TV installed in them.  Within clearpass guest on the setup page for registering the device you can choose what settings the user has access to change.  If you don;t give them access to certain fields they can't change them while you as an admin can then hardset those settings.  So you could remove their ability to enable airgroup and just set it as disabled even if on other SSIDs you do run airgroup.

     

    Thanks for the reply. We also use a separate SSID for IoT devices. Are there already device signatures for Echo and Google Home in Clearpass or did you have to write them?

     

    I'm also interested in knowing if these personal assistants functions at all in the absence of connecting to other devices. That is, if we allow them on the network but do not allow them to be included in AirGroup (which is not currently enabled) are they useful to users? Without L2 device discovery I imagine one cannot even stream audio to it.


     



  • 4.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 01:27 PM

    As a side note for Google Home devices and anyone using gmail for student emails Google now requires access to Google Personal Assistant to use/setup the Google Home device.

     

    AirGroup and everything can be setup perfectly but our students now have to use a personal gmail account for this because our G-suite doesn't allow us to turn it on for anyone.



  • 5.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 01:56 PM

    Why would a student not want to use their personal account?



  • 6.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 24, 2018 09:03 AM

    @cappalli wrote:

    Why would a student not want to use their personal account?


    That's my normal thought process, but that isn't a user driven question. The students I've worked with so far nearly exclusively use their school gmail, it is personal to them. The last one I worked with didn't have any other gmail accounts, so we had to create one; then they get confused sending a hangout/txt on an Andriod as who it sends as.



  • 7.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 01:19 PM

    Hey Mike, just to clarify, AirGroup does NOT grant L2 access between devices. It simply proxies the advertisement. AirGroup does not control datapath.



  • 8.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 01:29 PM

    Thanks Tim. I chose the wrong nomenclature. Yes, not L2 but converted mcast to devices in the container.

     

    I'm still trying to understand if, in the absence of L2 discovery or converted mcast-to-unicast communication within a user's container, a personal assistant is userful. We currently block L2 and do not have AirGroup enabled. So if today Echos are allowed to be registered and connected via Mac auth to our WPA2 SSID are they of any use?



  • 9.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 02:31 PM

    I would say that yes if they can connect to the internet they would be useful.  I personally have had both google home and echo devices.  The echo device can be controlled from anywhere.  I can be at work 60 miles from home and connect to my echo at home and play music from it because it does not rely on L2 connectivity.

     

    On our campus we only allow airgroup for Apple TV and personal assistants, and other IoT devices, work without issue.  Casting directly from one device to another doesn't work* without L2 capability as it is pulling from one device to another but if it can pull the content from the internet it can work and the users phone, tablet, or laptop can control the device.

     

    Thanks for the reply. We also use a separate SSID for IoT devices. Are there already device signatures for Echo and Google Home in Clearpass or did you have to write them?

     

    There are already signatures built into clearpass for both the google home and for the amazon echo.  The google home will come in as a chromecast.  The Echo on the other hand requires a bit more tuning after registered.  I have found that all Amazon devices come in as an amazon tablet.  It is fairly easy to change and I have trained our Help Desk to edit the device to an Echo and then it works without issue.

     

    *The casting feature does work with the chromecast if you setup guest mode which enables casting while not on the same network.  In that case they could be on their cell network and cast to a chromecast connected to the wifi which again is an L3 not and L2 connection.



  • 10.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 02:47 PM

    Googlecast does not require L2 if AirGroup is enabled.



  • 11.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 03:00 PM

    Does Clearpass have readily available finderprints for Echo, Chromecast, and Google Assistant. It seems Echo, at least Echo Dot, is being identified as a Kindle in 6.6.8



  • 12.  RE: Support for Amazon Echo and other personal assistants

    Posted Jan 23, 2018 03:06 PM

    mldickson wrote:

    Does Clearpass have readily available finderprints for Echo, Chromecast, and Google Assistant. It seems Echo, at least Echo Dot, is being identified as a Kindle in 6.6.8

     

    Yes it does have fingerprints avaialable for Ehco.  All amazon products come in as a kindle fire.  Fire TV =, Echo, and fire tablets all categorise the same until Amazon fixes it.  The echo is under Home Audio/Video->Amazon->Echo.  The google home or assistant and chromecast should both drop in as chromecast.  So in that case it would be Home audio/video->Chromecast->Chromecast Media Player.  There is not a tag for a Google Home outside of the chromecast because like the Amazon devices they are built on the same architecture and most people don't care how it categorizes in a home network.