Block SSL urls for BYOD student users- Maintain Cert trust chain

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Block SSL urls for BYOD student users- Maintain Cert trust chain

L1 Bithead

Hello all...

 

I find myself in a bit of quandary on how to deal with blocking\inspecting various SSL based urls for our student BYOD users.

 

I realize I need to decrypt the traffic in order to take action on it... but our problem lies with how to deal with certs....and keeping browsers happy with an intact trust chain.

 

PA support told me that I must either user an Enterprise CA ...or...export and import the trusted cert on all our devices. Since we are BYOD....and have no managing capabilities on student owned devices, neither option is possible. 

 

How can one best manage large groups of students attempting to go to bad sites!? I simply want to block off some youtube channels and things of that nature. Things that slip through safe search.....etc

 

I thought for a second that obtaining say a go daddy cert that maps to a domain name that we own (ie ourfirewall.ourschool.org) - map that name to our inside interface IP in our on prem split zone dns - and see if that would work. I'm thinking the cert will still come up as invalid since the signing source of the traffic would be a private ip address, and not necessarily the dns name. (Although...I'm just not sure) ????

 

Another option is to try and devise a method to import a self minted cert into the devices in an easy fashion - if that exists. We have an Aerohive wifi infrastructure .... perhaps there's a way to present a 3rd party cert to connecting devices- something a user can simply accept and import...and continue browsing.

 

Hopefully there are others out there that have some experience with this and can shed us some light!

 

Thanks in advance..Dennis

 

2 REPLIES 2

Cyber Elite
Cyber Elite

@dtopohaverford,

AeroHive actually has the ability to push a decryption cert to the end user specifically for decrypting SSL traffic. I would piggy back on that feature if possible. 

Otherwise we simply specified that to connect to the wireless network the students needed to run a script stored on the school's intranet site. The script did all of the importing for us and the students could easily do it themselves when required. 

Intersting BPry - thanks.... that was my next effort.... looking deeper into what Aerohive could do for us.

 

The script you mentioned.... something custom you made, or derived from something found on the net?

 

Also, what is your client mix?? Apple IOS...Android? Windows? Etc....we have it all here..

 

Thanks much for your input!

 

 

  • 2897 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!