Assigned a specific OS to an SSID

  • 1
  • Question
  • Updated 12 months ago
I have 3 SSIDs. One with RADIUS set up for our teachers. One for guest. and One for our students. 

We are struggling with how to set up the Student SSID. We are small school 300-500 students. What I was thinking was to set up PPSK for the student account, give them their passwords and set the device limit to 1. However, as an extra precaution, set the SSID to only allow the ChromeOS. As our students only use Chromebooks.

How can I do this? Or does anyone have any better idea? We had them set up with a shared password but had problems with Chrome remembering the PW and teachers giving out the PW. Is there an option that we can link with GoogleAdmin?
Photo of Chris Snyder

Chris Snyder

  • 2 Posts
  • 0 Reply Likes

Posted 12 months ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
These are managed Chromebooks, are they not?  If you configure the wpa-psk + SSID in the Google-management console and only the Google admin knows it, seems like the teachers couldn't be giving it out.  Last I asked, Aerohive didn't support Google/SAML tie-in.
Photo of Chris Snyder

Chris Snyder

  • 2 Posts
  • 0 Reply Likes
They are managed Chromebooks; however, it seems like over the period of a few months they lose the password and have to be reset. 
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
Gosh, we have not seen that and there are a *lot* of CBs in NC.  This is on current code?  If you put the CB on an open network when it happens and do chrome://policy > reload to bring the policy down again, does that fix?
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
As for your PPSK question: You enable user-profile re-assignment based on client classification rules. You then create a "dummy" user profile, which is your default, and inside the user profile configuration you add a classification rule to assign the proper profile if OS detection is ChromeOS.

You then configure your dummy profile to either provide a fake (not configured) VLAN-ID, or set the availability schedule to 5 minutes atround 3am... Or you do other things to make it not work / tell users that they must use a school-provided Chromebook. For example, in one installation we assigned users to a quarantine-like VLAN, so they could connect and get an IP, but if they opened their browser they would get a page from our Firewall telling them that access is restricted to students with Chromebook etc.

Now, as PPSK is transparent and for your client devices looks like a shared WPA2 PSK, you might run into the same problem you have with loosing the PSK. So you might have to fix this issue first anyway.

Hope this helps...