Although the Mehlville School District has implemented COVID-19 remote learning like most primary schools, we’re also working on other initiatives to keep our students, teachers and technology systems safe. This includes using the exceptionally granular customization capabilities within Aruba ClearPass to solve common K-12 education problems.
Going beyond the default deployment
Upon deploying ClearPass about two years ago, we used it in the typical manner to consolidate many SSIDs into two – one internal and one guest network. Naturally, all district-issued devices automatically connect and authenticate based on device and user credentials. This includes our 1:1 Chromebook deployment for all 10,000 students as well as district-issued Windows and Apple devices for teachers, staff and classrooms, totaling roughly 17,000 devices.
Once we gained experience with the role-based solution, we began considering additional ways to leverage it. By establishing fine-grained custom policies, we discovered ClearPass eliminates much of the manual work around the following processes:
Authenticating All Devices, Even BYO: By authenticating every device, ClearPass can identify classifications of BYO devices, based on username and password, and permit or deny access accordingly. For example, when a student logs on using their credentials with a device other than a Chromebook, then ClearPass classifies it as a student BYO device.
Limiting BYO Access: To ensure we have sufficient bandwidth for academic needs and to reduce possible entry points for bad actors, we use ClearPass to deny BYO device connections – including on our guest network – unless the connection meets the criteria we’ve established for being an approved purpose.
One example is Google Expeditions, which is enabled by AR/VR devices that require a smartphone. Using ClearPass, we’ve created a virtual honeypot to permit access to Expeditions, but not to the Internet at large. As teachers request new learning tools, we can add them to the list of approved options. This strategy enables us to allow BYO smartphone access in a controlled way.
Supporting Healthcare Needs: Similar to enabling device access for approved classroom purposes, we can use ClearPass to granularly permit devices and applications used by those with specific healthcare needs. Whether it’s constantly monitoring blood sugar or reminding a person to take their medication, ClearPass can track and allow the devices and apps required.
Managing Inventory Efficiently: Despite having 17,000 district-issued devices actively in use, plus a few thousand more in our inventory as spares, ClearPass rapidly pinpoints any device we need to know about. In addition to searching by the default or custom attributes within ClearPass, the tool also searches information drawn from about a dozen other IT applications, such as our WiseTrack asset tracking system or our ZENworks Suite technology lifecycle solution. We’ve also set up various management reports that enable us to get a snapshot from ClearPass every 15 seconds.
Eliminating Rogue Connections and Mobile Hotspots: ClearPass also permits us to quickly identify, and disconnect, any Mehlville-issued devices that are accessing a rogue wireless signal, such as a home that’s broadcasting an open network near a school building. This also includes students who use their cellular data plans and personal devices to create a Wi-Fi hotspot, which enables others to connect and bypass our policies and protocols.
Helping us stay one step ahead
Let’s face it, people push boundaries and by using ClearPass, we’ve classified a host of details, such as using inappropriate terms as usernames and Mac randomization for attempting to beat blacklisting, to create granular policies, set alerts, restrict activities and automate searches. This helps us stay one step ahead of 10,000 students and over 800 employees while remaining within our lean K-12 technology budget.
Regardless of what becomes the “new normal” as result of COVID-19, we’re thankful we delved deeper into ClearPass and hope this blog gives you some ideas for doing the same.
Mark Fratto is the Systems Administrator for the Mehlville School District, which serves 10,000 in the southwestern St. Louis metro area. Spread across 44 square miles, the Mehlville, Missouri district supports 18 campuses that including one early childhood center, 11 elementary schools, four middle schools, two high schools. During his decade with the district, Fratto has maintained various systems, including Mehlville’s 1:1 computing initiative for all students. Prior to joining the district, Fratto was an IT consultant.