The following article was provided by Nikkol Bauer, Henry County.
Passing User Authentication from Chromebooks to the Rocket
Configuring the Rocket and GAFE to pass user authentication from Chromebooks to the Rocket is pretty straight forward. Unfortunately, the username that is passed is the user’s email address, so be aware of this should you need to conduct any inspection of a particular user’s activity, i.e. you will need to search by email address, as well as AD credentials.
- 1. Ask the state to open port 80 and 443 on your district’s Rocket server.
- 2. Follow the instructions here to set up a Google Authentication Source. The section titled “Configure a Google Authentication Source on the Rocket Appliance” will need to be done twice using the same Client ID and Client Secret, once for district.kyschools.us and another for stu.district.kyschools.us.
- 3. In the Google Admin Console, push the Lightspeed User Agent to your users:
- 1. Click Device management.
- 2. Click Chrome management.
- 3. Click User settings.
- 4. Make sure the correct organizations is selected at the left. If you want to push this to everyone, you can just have the organization (for example, district.kyschools.us) selected.
- 5. Scroll down to Apps and Extensions and click the link Manage force-installed apps.
- 6. Under Chrome Web Store search for Lightspeed User Agent and click Add.
- 7. Click Save.
- 8. Click Save Changes.
Creating Filter Assignments for Chrome Authentication
If you would like to apply different rule sets for different types of users that login to Chromebook (for example, if the Tier Policy is not acceptable for all of your users), then you will need to create new Assignments in the Rocket Policy Management section of the console. There are three viable methods: User Group , User OU, and Username. In all of these cases, this will apply to Google groups and Google OUs.
If you choose to filter by OU, you need to add an assignment for each OU that directly contains users.
“I wanted to be able to leverage our already existing AD groups of DIST Students No Internet, DIST Students Restricted Internet, DIST Staff, and DIST Students. So I added rules in GADS to sync those groups. Note that users have to live in the group itself and not in a subgroup.”
Syncing AD Groups
In order for AD Groups to sync, there must be an entry in the email address property of the group. The 4 groups above did not have an email address filled in, so I created an email for each one. This does not need to be a working email.
- 1. In the GADS configuration utility, make sure that the Group check box is selected in General Settings.
- 2. In Groups, select Add Search Rule.
- 3. On the LDAP tab, enter the following, change the items in red as appropriate and add as many groups as you will need:
- Scope: One-level
- Rule: (&(objectCategory=group)(cn=DIST Students No Internet))
- Base DN: ou=Users and Groups,ou=_District Admins,dc=district,dc=ketsds,dc=net
- Group Email Address Attribute: mail
- Group Display Name Attribute: displayName
- User Email Address Attribute: mail
- Member Reference Attribute: member
Adding an Assignment in the Rocket for Google Authentication
- 1. In the Rocket Console, go to Web Filter and then Policy Management.
- 2. Under Type, select User Group.
- 3. Under Authentication Source, choose the Google Authentication source for either your staff or your students (remember that you have two authentication sources for Google).
- 4. Under Assignee, enter the part of the group’s email address before the @.
- 5. Select the Rule Set you want to apply.
- 6. Click Save.
Filtering Off Campus
While I haven’t tried this myself, this is possible by pushing the LSChromeFilter to your Google users. Read more about that here. You will need to register your GAFE domains on mobile.lsfilter.com. When you click Sign Up, enter a username, email and for the Serial Number use the Customer ID found in Administration.
Thanks very much for these great tips, Nikkol!