Chromebook Management - Wifi

[Simon Wright]

Howdy,

Is anyone using WPA2 Enterprise connection for their managed chromebooks with the ${LOGIN_ID}  and  ${PASSWORD} variables?

Are you having any success?

When i log in it wont connect and looking at the NPS logs its not actually parsing the username, its just sending through the variable string of ${LOGIN_ID}

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Andrew Godfrey]

We're not using that functionality on our managed devices but do recommend students to set there EAP themselves if they want to use 802.1x on their own chromebooks.

The only OS that connects reliably using 802.1x on our network without manually changing their EAP is MacOS/OSX and iOS.

Maybe try these settings?

Andrew Godfrey  |  Network Manager

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Wright]

Manually connecting using PEAP and MS-CHAP v2 works fine, thats how all students connect with any device.

This is just for our managed chromebooks. the google documentation says you can use these variables, so when a student logs in it would connect to the wifi as them (being that their login id and password are the same as their AD credentials).

I want to do these rather than using our WPA2 PSK SSID which doesn't have the same filtering applied nor will our firewall no who the user is. Its a vlan meant for legacy devices and chromecasts etc.

I do have another policy applied to the device for that network so the chromebook has internet prior to login. Just want it to change to the student once logged in. Essentially the same as what we do for staff laptops. 

How are you connecting your managed devices? have you got a separate SSID/vlan for them?

ref: https://support.google.com/a/answer/2634553?visit_id=1-636622018967125209-1202264282&rd=1#variables

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Pete Eaton]

We create DPSKs for our Chromebooks - one for each student and stick on a sticker on the bottom.  

Then if they need to be powerwashed, the WIFI password (which gets locked to MAC on first use) is on the device.

For roll out, we can open the box, stick the sticker on and then hand it to the student.  We are 1:1, school supplied Chromebooks.

Pete

Sent from my iPhone

On 18/05/2018, at 4:41 PM, Simon Wright <simon....@obhs.school.nz> wrote:

Manually connecting using PEAP and MS-CHAP v2 works fine, thats how all students connect with any device.

This is just for our managed chromebooks. the google documentation says you can use these variables, so when a student logs in it would connect to the wifi as them (being that their login id and password are the same as their AD credentials).

I want to do these rather than using our WPA2 PSK SSID which doesn't have the same filtering applied nor will our firewall no who the user is. Its a vlan meant for legacy devices and chromecasts etc.

I do have another policy applied to the device for that network so the chromebook has internet prior to login. Just want it to change to the student once logged in. Essentially the same as what we do for staff laptops. 

How are you connecting your managed devices? have you got a separate SSID/vlan for them?

ref: https://support.google.com/a/answer/2634553?visit_id=1-636622018967125209-1202264282&rd=1#variables

<image.png>

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

On Fri, 18 May 2018 at 15:49, Andrew Godfrey <godf...@burnside.school.nz> wrote:

We're not using that functionality on our managed devices but do recommend students to set there EAP themselves if they want to use 802.1x on their own chromebooks.

The only OS that connects reliably using 802.1x on our network without manually changing their EAP is MacOS/OSX and iOS.

Maybe try these settings?

<image.png>

[Kevin Whelan]

might be easier to keep the ppsk auth and then use the wifi software mac address options to direct those specific device to the correct vlan for filtering. We do that for a subset of students that have permission to use ipads during class time as we normally block all phone/ipad devices during class. works well
alot of devices don't seem to like changing from computer to user authentication once they are on the network either so the chromebooks may fall into that category

[Kevin Whelan]

https://bugs.chromium.org/p/chromium/issues/detail?id=386606

[Simon Wright]

Thanks for that Kevin.

Fills me with a great deal of confidence, especially that this has been going for 4 years and doesn't appear to be solved.

Will keep playing around.

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

On Mon, 21 May 2018 at 09:27, Kevin Whelan <kwhel...@gmail.com> wrote:

https://bugs.chromium.org/p/chromium/issues/detail?id=386606

anges made to this e-mail or attachments after sending.

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[sup...@berkley.school.nz]

Good afternoon. We are using WPA2 connections on our 250+ Chromebooks and have no issues. Students LogonID and password are authenticated via AFDS and it's seamless.

Brian Bowell.,

ICT Manager

Berkley Normal Middle School.

[Simon Wright]

So finally got a chance to test some more. turns out it does work as i want, it just wasn't connecting as my test student because my user policy for the 802.1x wifi connection is applied to the OU containing the device. Once i moved my test student account into that OU it works as expected. pre-logins connect to my WPA2 for the device and once the user logins in it reconnects to the 802.1x as that user.

I have now re-done that user wifi policy on the top-level OU so it applies to any school user (as they all connect the same) and its all working as expected.

I just have to wait and see if any students come and bug me again about their own Chromebooks as previously playing with user set policies applies of course to the user regardless if its a school owned/managed chromebook or their own. Though, now the policy is set correctly and works, it should mean students on their own chromebooks should auto connect to the wifi correctly providing they haven't changed their google password separately from their network account. 

I'm going to assume that when they are at home it won't prevent them logging into their own wifi as our network wont be visible/out of range, so it should just connect to what else has been previously saved and in range

I did try applying the policy as a device policy, but the ${LOGIN_ID} and ${PASSWORD} variables don't work as a device policy, so it has to be a user policy applied to the users OU.

Doesn't work the same a good old Microsoft Group Policies.

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Simon Wright]

Well i don't know. took a chromebook (managed) home and it works fine.

Today, had a couple of student come to me as their chromebooks would not connect to the wifi. The password field/variable was not working, even though they have the latest v66 of chrome os. Even if you overwrite the field with the actual password it does not work. so now i've had to remove the policy to get them working again.

Be nice to be able to apply user policies to only managed chromebooks.

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga