RADIUS and Chromebooks

[Baker, Dion]

Hi All,

Some time ago, I was told by Google Support that our Chromebooks would not work int he way which we would expect them to, in regards to RADIUS, and I'd like to know if anyone can inform me of how they're addressing the issue, or if Google have fixed/will soon fix it.

Basically, we need the Chromebooks to join our wireless network using RADIUS authentication with the student's username/password. The issue, however, is that the Chromebooks need to join a wireless network and access the internet before the user even logs in.

Now, with Windows, you have a policy defining settings for the computer to join RADIUS, and that computer's Active Directory account is what's used to authenticate. When a user logs onto the computer, it then switches over to the user's Active Directory credentials and joins the wireless network using that.

Google Support told me this "switch" to the other network/credentials will not happen with Chromebooks when a user logs in. Instead, the user will need to manually switch to the other SSID/Credentials - if theydon't do that, they're still authenticated to the wireless network as whichever user we've setup the Chromebook to use.

At the moment, the only solution I can see is to not have wireless settings defined for the Chromebook and have the students enter their RADIUS settings manually at the login screen, so it is then remembered in the future etc. etc. but this is not ideal - if Student A lets Student B login to their laptop, it won't switch over to Student B's account with RADIUS auth, so actions Student B takes will be attributed to Student A. We end up in a similar situation to that we were in before.

So, seeing this is not exactly ideal for us, especially when it comes to accountability and internet filtering, I'm wondering how others are addressing the issue, if at all possible.

Any input would be greatly appreciated.

Thanks,

Dion Baker
Computing Systems Manager

Mount Gambier High School
Brownes Rd, Mount Gambier
South Australia, 5290

Phone: 08 8725 6244
Fax: 08 8723 0441

“Learning … Optimism … Enjoyment”

This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender.

[Antony Street]

Dion,

If it was mandatory for the students to authenticate on your wireless, I would handle it by:

• Creating an SSID with no authentication but is filtered so that it can only be used for authentication;
• Apply a user level setting to:
• Push out the security certificates required;
• Have the user connect to the WiFi required. They will have incentive to do this because they won't get anything otherwise.

Because you need the student to use their own credentials to log into the WiFi, it won't be possible (AFAIK) to push out the WiFi settings too.

At Thornlie Christian College we've taken a different track, we run the student WiFi as completely open but forced through our proxy filter. We can track users by IP/MAC pairings if we need to.

Perhaps you could have them log on at the proxy? That way you know where they're going.

Regards,

Antony Street
IT Manager
Thornlie Christian College

--
You received this message because you are subscribed to the Google Groups "Google Chrome ANZ Education" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-chrome-anz-e...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[chris.beattie]

Hi Dion,

Thanks for your post!  We are in the same boat.  We are using RADIUS via AD and Network Policy Server and have a range of client device types on the network.  The RADIUS accounting on the wireless controller also passes credentials to our Netbox Blue firewall so that all users logged in to the wireless network are authenticated transparently to it.  We made the call to stick to RADIUS so that we have per-user accountability and can benefit from automated reports sent to our pastoral care staff at regular intervals.

Unfortunately the Chromebooks don't work smoothly in this scenario for a couple of reasons.

Firstly, they are a pain to set up for RADIUS auth wireless networks manually.  You need to set advanced configuration items such as the EAP method, the phase 2 authentication method, the server certificate etc.  This is burdensome for users compared to Macs or PCs which are capable of automatically detecting these settings.  We walked our students with 1-1 Chromebooks through entering these settings en masse at the start of the year when they got their new Chromebooks but occasionally one will lose its network connection and throw up the settings box to the student, whereupon they change these settings in the hope of fixing it and thus prevent the device from reconnecting.

The other reason it doesn't work well is that as you say, the Chromebook saves the RADIUS credentials and reuses them regardless of the logged-in user.  As a result, we tell students with 1-1 Chromebooks not to share their devices with others and they know we will hold them responsible for any actions taken on their device.  For those we have in a trolley for shared use, we considered setting up the wireless connection using a RADIUS credential that would grant network access (authentication) but not pass through to the firewall for Internet access (accounting).  That way the firewall would present users with a captive portal page requesting their personal credentials before allowing the device to go online.  However, we felt that this was too great a burden and would hinder their use in class as each user would effectively have to log in twice each time.  Therefore as a compromise to practicality we set them all up with the same RADIUS credentials, but that means we can't track the actions of a single user on them.

It would be lovely if there were a way to enter the settings for a wireless network in the Admin Console but not the credentials, so the user would be prompted for just those.  And while I'm on a roll, there would also be a way of using the local network to authenticate wireless users against Google Apps such that a single logon to the Chromebook would authenticate to both and ensure full accountability throughout.  In the meantime I think Antony's method is the best path, if you can afford to go without having every user on the network identified 100% of the time.  Sadly we can't.

Keep in touch and let us know what you decide; I'll be following this thread with interest!

[Mitch Miller]

We're doing exactly the same as Antony (well more or less).

Cheers,