Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Regular Contributor I

Support for Amazon Echo and other personal assistants

Hi. We have a fairly restricted SSID for "IoT" type devices that uses MAC auth (via Clearpass reg) and WPA2 PSK. We do not have AirGroup enabled yet. We restrict 802.1x capable devices from connecting to this (we want them on eduroam). We explicitly allow specific device types (gaming consoles and video streaming devices) and basically deny everything else, including personal assistants.  We want to add suport for this latter group.

 

I'm wondering if anyone allows Amazon Echo  only as an L3 connected device, no L2 communication (i.e. no AirGroup). In this setup is it useful as a device? Are users ok with this or do they (would they) demand L2 connectivity to their other devices? If you allow L2 (say, via AirGroup) what other devices can users connect? Everything? A Nest? A security cam? Just seems like a slippery slope...I don't own a personal assistant so don't really know what the limitations are if an Echo can't discover other devices.

 

Thanks in advance,

Mike

11 REPLIES
Occasional Contributor II

Re: Support for Amazon Echo and other personal assistants

Mike,

   As far as the Echo specifically it is tied to a user's Amazon account and only those they share it with through their Amazon account can use it so that is not so much of a problem. Google personal assistants are a little bit different in that any android device and most apple devices that have the google home app (use for chromecast, google home, other google IoT devices) can see any device.  The way to mitigate that is through user education.  Within the device settings for a google home or chromecast there is an option to disallow other devices from controlling the content.

 

We allow personal assistants on our network but they are on a specific network only for "entertainment" devices.  It is designed to be separated by VLAN as our "entertainment" device network is open and then restricted within Clearpass Guest.  In our environment the entertainment devices are on a separate SSID and VLAN than any smartphones, tablets, or computers. Edit---smartphones are still able to cast video, sound, etc to these assistance devices.

 

We do have airgroup installed and running on our network but it is mostly due to classrooms that have Apple TV installed in them.  Within clearpass guest on the setup page for registering the device you can choose what settings the user has access to change.  If you don;t give them access to certain fields they can't change them while you as an admin can then hardset those settings.  So you could remove their ability to enable airgroup and just set it as disabled even if on other SSIDs you do run airgroup.

Guru Elite

Re: Support for Amazon Echo and other personal assistants

Hey Mike, just to clarify, AirGroup does NOT grant L2 access between devices. It simply proxies the advertisement. AirGroup does not control datapath.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Support for Amazon Echo and other personal assistants


Hephzibah11 wrote:

Mike,

   As far as the Echo specifically it is tied to a user's Amazon account and only those they share it with through their Amazon account can use it so that is not so much of a problem. Google personal assistants are a little bit different in that any android device and most apple devices that have the google home app (use for chromecast, google home, other google IoT devices) can see any device.  The way to mitigate that is through user education.  Within the device settings for a google home or chromecast there is an option to disallow other devices from controlling the content.

 

We allow personal assistants on our network but they are on a specific network only for "entertainment" devices.  It is designed to be separated by VLAN as our "entertainment" device network is open and then restricted within Clearpass Guest.  In our environment the entertainment devices are on a separate SSID and VLAN than any smartphones, tablets, or computers. Edit---smartphones are still able to cast video, sound, etc to these assistance devices.

How are you allowing this? Via AirGroup?

 

We do have airgroup installed and running on our network but it is mostly due to classrooms that have Apple TV installed in them.  Within clearpass guest on the setup page for registering the device you can choose what settings the user has access to change.  If you don;t give them access to certain fields they can't change them while you as an admin can then hardset those settings.  So you could remove their ability to enable airgroup and just set it as disabled even if on other SSIDs you do run airgroup.

 

Thanks for the reply. We also use a separate SSID for IoT devices. Are there already device signatures for Echo and Google Home in Clearpass or did you have to write them?

 

I'm also interested in knowing if these personal assistants functions at all in the absence of connecting to other devices. That is, if we allow them on the network but do not allow them to be included in AirGroup (which is not currently enabled) are they useful to users? Without L2 device discovery I imagine one cannot even stream audio to it.


 

Contributor II

Re: Support for Amazon Echo and other personal assistants

As a side note for Google Home devices and anyone using gmail for student emails Google now requires access to Google Personal Assistant to use/setup the Google Home device.

 

AirGroup and everything can be setup perfectly but our students now have to use a personal gmail account for this because our G-suite doesn't allow us to turn it on for anyone.

Regular Contributor I

Re: Support for Amazon Echo and other personal assistants

Thanks Tim. I chose the wrong nomenclature. Yes, not L2 but converted mcast to devices in the container.

 

I'm still trying to understand if, in the absence of L2 discovery or converted mcast-to-unicast communication within a user's container, a personal assistant is userful. We currently block L2 and do not have AirGroup enabled. So if today Echos are allowed to be registered and connected via Mac auth to our WPA2 SSID are they of any use?

Guru Elite

Re: Support for Amazon Echo and other personal assistants

Why would a student not want to use their personal account?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Support for Amazon Echo and other personal assistants

I would say that yes if they can connect to the internet they would be useful.  I personally have had both google home and echo devices.  The echo device can be controlled from anywhere.  I can be at work 60 miles from home and connect to my echo at home and play music from it because it does not rely on L2 connectivity.

 

On our campus we only allow airgroup for Apple TV and personal assistants, and other IoT devices, work without issue.  Casting directly from one device to another doesn't work* without L2 capability as it is pulling from one device to another but if it can pull the content from the internet it can work and the users phone, tablet, or laptop can control the device.

 

Thanks for the reply. We also use a separate SSID for IoT devices. Are there already device signatures for Echo and Google Home in Clearpass or did you have to write them?

 

There are already signatures built into clearpass for both the google home and for the amazon echo.  The google home will come in as a chromecast.  The Echo on the other hand requires a bit more tuning after registered.  I have found that all Amazon devices come in as an amazon tablet.  It is fairly easy to change and I have trained our Help Desk to edit the device to an Echo and then it works without issue.

 

*The casting feature does work with the chromecast if you setup guest mode which enables casting while not on the same network.  In that case they could be on their cell network and cast to a chromecast connected to the wifi which again is an L3 not and L2 connection.

Highlighted
Guru Elite

Re: Support for Amazon Echo and other personal assistants

Googlecast does not require L2 if AirGroup is enabled.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Support for Amazon Echo and other personal assistants

Does Clearpass have readily available finderprints for Echo, Chromecast, and Google Assistant. It seems Echo, at least Echo Dot, is being identified as a Kindle in 6.6.8

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: