AutoDetect ChromeBooks for VLAN routing?

  • 3
  • Question
  • Updated 5 years ago
  • Answered
I'm trying to get a new Aerohive implementation rolled out in my school. I've got RADIUS auth working through the base stations to RADIUS server running Mac OS X 10.6 Server. I want to set up vlans

10 Internal/Infrastructure 10.0.1.x
20 Faculty 10.0.2.x
30 Student MacBooks 10.0.3.x
40 ChromeBooks 10.0.4.x
50 iOS 10.0.5.x
60 Guests 192.168.6.x

I've never configured VLANs before and this has been the biggest stumbling block thus far. I'm using pfsense as my router at 10.0.1.1, with DNS and DHCP being provided by a Mountain Lion Server at 10.0.1.251. I'm running 21 AP330s powered by 2 SR2024 Aerohive switches. I also have 3 pre-existing HP Procurve 2848 managed switches in the mix.

I need to segregate all of my traffic mostly to get a boat-load of devices on the school network (75 chromebooks, 20 ipads, 150 student MacBooks/iMacs, 50 faculty MacBooks, etc).

The immediate question is this: is it possible to use OS detection to detect the ChromeBooks when a student logs in and then immediately route that system to vlan 40 with an address pool of 10.0.4.x?

Damn...reading over this post it looks like I've asked about a dozen questions.

Help?
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes

Posted 5 years ago

  • 3
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You're likely going about this the wrong way - place the device in to the appropriate VLAN based on its identity to the network via certificate or username/password - you could decide this based on the account the credentials link to or a group the account is a member of.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Currently ChromeOS is not listed as an option for doing Client Classification user profile reassignment - maybe it could be a feature request?
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
You can create custom OS Objects.


Click the +. This will take you to the next screen. From here you can type the name in the OS type field, and the DHCP and/or Agent String in the value fields.

Then click Apply, and lastly save.

-Sam
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
The potential downside of this is that it's not 'secure' as you are making a decision from a fingerprint rather than a strong security principle.

Again, all depends on your use case and expectations.

Cheers,

Nick
Photo of Christopher Tawes

Christopher Tawes

  • 14 Posts
  • 2 Reply Likes
Thanks again for the input. As far as security goes, all the devices would be school-owned devices (MacBooks, iMacs, iPads, ChromeBooks) that would be authenticating via RADIUS/802.1X against our OD. The point of the OS detection would just be to dump the ChromeBooks into their own internet only vlan for student use (separate from a guest internet only vlan) and to give me 75 additional ip addresses (and counting) for the ChromeBook deployment. The student MacBooks need access to the network accounts hosted on three file servers, so they would need access to those servers and the internet. That's another 125 (and counting) ip addresses. The entire teaching faculty, administration, and 12-month staff have all been issued MacBooks (an additional 50 devices with associated ip addresses) that have Mobile Home Directories that sync to a network account for backup upon login or logout. They also need access to a group of faculty only file shares and networked printers (7 printers, five total file servers).

We are a new school...we've been in operation for about 10 or 11 years now. Our network was built in year 2, so all of our infrastructure and design was done on the cheap about 8 or 9 years ago using 1 subnet (a 10.0.1.x) for every device. I was hired as tech support/software tutor for the teachers with 7 years ago and had no networking experience. As our student body has grown and the use of technology has taken off, I've been teaching myself networking and this is the year that we have made a significant investment to try to "modernize" our network deployment to support not just what is in the building, but what is coming into the building (literally and metaphorically speaking).

Hence, Aerohive and vlans and routing based on user groups to accommodate 300 + devices (and more every day)...

Anyway, thank you for the input and the advice. I am really loving the Aerohive community: friendly, responsive, helpful, encouraging.


Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
When I am designing an Aerohive wireless network I always work with the customer to determine who is going to associate and with what. From there I build a table that can be used to create suitable user profiles:



I use a table as I can easily add/remove columns for VLAN assignments, tunneling, etc or remove them as required.

The rate limits, VLAN assignments, etc are then created from the table rather than initially creating VLANs, etc and trying to make it fit the user requirements.

Once I have all the appropriate information I then build the SSIDs, user profiles, etc in HiveManager and the Network Policies screen acts as an excellent summary page.
Photo of Christopher Tawes

Christopher Tawes

  • 14 Posts
  • 2 Reply Likes
This looks like a great idea and a more refined method of how I'm trying to sketch out our deployment. For our school, the primary User Groups would be Faculty & Staff, Students, the occasional Contractor, and Guests. Fac/Staff would be all in-domain MacBooks and out of Domain iOS/Android devices. Students would be all in-domain MacBooks, ChromeBooks, and iOS devices, contractors would be all out of domain with limited internal network access, and Guests would be everything thing else with slow, filtered internet.  Looks like a good scheme!
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
You might want a design similar to the following:



You will notice that there is a Deauth_Client user profile. This user profile deauthenticates wireless clients and more information on how to configure it is available at http://community.aerohive.com/aerohiv....

If you want the faculty/staff and students to have the same user experience when connected to the Internet on a non-domain device you have the option of using a single user profile; say BYOD_Internet; rather than the two in the table.

To identity the Chrome OS devices using DHCP option 55 you can obtain the fingerprint from FingerBank (http://www.fingerbank.org/english/abo...):


[os 513]
description=Chrome OS
fingerprints=<<EOT
1,121,33,3,6,12,15,26,28,51,54,58,59,119
EOT


The only rate limiting is being applied to contractors and guests. You may also want to apply a higher rate limit to the Students_Internet user profile.
Photo of Christopher Tawes

Christopher Tawes

  • 14 Posts
  • 2 Reply Likes
Thanks for the heads up about this fingerprint. This is exactly what I was looking for.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
I tried to add Chrome OS for Client Classification, but when I upload the config it fails on the command:
os-version Chrome OS option55 1,121,33,3,6,12,15,26,28,51,54,58,59,119
with an unknown error.

Any ideas why I can't upload the chrome dhcp fingerprint?

Cheers,
Aaron
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Nevermind - it didn't like the space between "Chrome" and "OS"
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If you remove the Chrome OS option 55 settings and try to connect the ChromeBook will it associate?

If it does you should be able to see the link "Unknown" appear in the Client OS column of the Wireless Client screen (Monitor -> Clients -> Wireless Clients). Click on the link and you should be able to save the DHCP Option 55 settings.