This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I allow chromebooks to sign into an enterprise account when my web filter blocks all my traffic?

Equipment is a WS-5000

Currently in order to allow students to sign into their chromebook I have to whitelist the IP for the chromebook. I would like to avoid this vulnerability and allow them to sign into a device because each time a new user signs in the device is erased so the Web appliance doesn't know who is signing in and blocking all traffic for the device. This causes my device to cycle between trying to connect and disconnect from the wifi until I can Whitelist the IP. Once I whitelist the IP it allows the user to sign on without any issue. Shortly after I can remove the IP from the whitelist and it starts scanning their traffic again. 

Has anyone else had a similar issue? I believe it has to do with the SSL scanning being doing on the web appliance and the lack of username and password/certificate installation on the device prior to allowing it to pass 



This thread was automatically locked due to age.
Parents
  • Whitelist the IP for moment.  Wireshark the traffic to/from the Chromebook to see where it is connecting in order to log in.

    Create an authentication profile that applies to those destinations.  Set that profile to Bypass authentication (or better to SSO and Allow access on failure).

    Now when the Chromebooks connect to the google authentication servers they should bypass the SWA authentication, but after they log in and do normal stuff they have the normal SWA auth.

    You can also look at connection profiles, if you only want to apply it to an IP range you know the Chromebooks use.  If destination doesn't work, possibly user agent if there is something unique to the login.

Reply
  • Whitelist the IP for moment.  Wireshark the traffic to/from the Chromebook to see where it is connecting in order to log in.

    Create an authentication profile that applies to those destinations.  Set that profile to Bypass authentication (or better to SSO and Allow access on failure).

    Now when the Chromebooks connect to the google authentication servers they should bypass the SWA authentication, but after they log in and do normal stuff they have the normal SWA auth.

    You can also look at connection profiles, if you only want to apply it to an IP range you know the Chromebooks use.  If destination doesn't work, possibly user agent if there is something unique to the login.

Children
No Data