Skip to main content
tiger2
tiger2
New Member
September 20, 2016
Question

Chromebook login identification

  • September 20, 2016
  • 1 reply
  • 14007 views

Not sure if this is the correct section.

 

I work for an educational organization that is slowly transitioning from Windows based local systems to Google GAFE. As part of the process we have deployed a large batch of shared Chromebooks for the students to use. Our primary gateway is a Fortigate 300D and I'm very pleased with it's performance.

 

The issue I have is that it seems currently impossible for the Fortigate to identify the users logged in to the Chromebook (it will report source IP and MAC). As a stopgap measure I've moved all Chromebooks to their own VLAN and applied the student security profile on it. However, this will also block any sites allowed for staff using the Chromebook. This is not an optimal solution.

 

I have the occasional need to identify individual users who break policy for security reasons.

 

Is the Fortigate capable of doing this?

    1 reply

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 21, 2016

    guess they connect via WiFi, so what about WPA2-enterprise auth against RADIUS (might be FAC or NPS on AD) and then RSSO and group membership per logon to FortiGate and then Identity based policies using group membership knowledge ?

    So teachers/stuff will be in different group then users/students .. so it will not be per device identity but per user (probably better as you mentioned that Chromebooks are shared => making it harder to decide who is user).

    For more about RSSO/WSSO check cookbook.fortinet.com for receipts.

    tiger2
    tiger2Author
    New Member
    September 21, 2016

    This is an option, but I want to avoid double authentication.

     

    The problem is that the GAFE and AD accounts are different in setup and entirely separate (this is a project for a later date). I have RSSO working (sortof, the Fortigate doesn't identify users properly yet) for a different wireless network.

     

    With your solution a user would have to connect to the wifi first, auth, and then log in to their google account. Right now all wireless settings (simple WPA2 PSK) are pushed to the Chromebooks so the students only need to sign in once.

     

    I'd much rather the Fortigate pick up the google account login and log it to the Chromebook device IP/MAC. It can already restrict logins to certain domains, so there seems to be a way to filter that info out.

    xsilver_FTNT
    Staff
    xsilver_FTNT
    Staff
    September 22, 2016

    I have no personal experience with Chromebooks. If you can somehow collect logons (RADIUS Accounting, syslog, or even those Exchange email logons .. ) FSSO Collectors can utilize many sources and make FSSO records based on those data and so pasively authenticate user's traffic without any necessity for user active logon.

    Or you can utilize their logon to WiFi via RSSO, so users will be appear in logs on FortiGate/FortiCloud/FortiAnalyzer with their wifi logons and not with google accounts, devices should be recorded by their MAC address kind of uniquely identifying devices.

    But I do not know your environment deep enough for more precise advise.

    Terms & ConditionsAccessibility statement