How to Use Google for 802.1x Wi-Fi

Kainoa Lee Education

How to Use Google for 802.1x Wi-Fi

Organizations are making the much-needed transition to cloud-based network solutions and Google is a forerunner in getting people’s devices and networks in the cloud.

However, for some, getting your devices configured and ready for WPA2-Enterprise Wi-Fi can be tricky and the process isn’t always straightforward. Luckily, SecureW2 can easily get your devices connected and ready for 802.1x authentication in just a few clicks with our JoinNow Connector and allow you to safely and effortlessly use certificate based security with Google.

How to Use Google for 802.1x EAP-TLS Authentication

In this article we will walk you through how to set up Google as an SSO for certificate enrollment, and 802.1x onboarding so your users can easily self-enroll their devices for certificate-based authentication with their Google credentials.

Creating a SAML Application in Google for 802.1x Enrollment

To create a SAML application in Google:

  1.  From your Google Admin Console, click Apps, and then click SAML apps
  2. At the bottom-right of the screen, mouse over the yellow circle and click Enable SSO for a SAML Application
  3. Click SETUP MY OWN CUSTOM APP
  1. Under Option 2, for IDP metadata, click DOWNLOAD. Save the metadata file (.XML) to your computer
  1. From your SecureW2 Management Portal, go to Identity Management > Identity Providers
  2. Click Edit for the IDP you created (GoogleSAML)
  3. Select the Configuration tab

NOTE: Note the ACS URL and EntityId — you will need these for step 11.

  1. Under Identity Provider (IDP) Info, for Metadata, click Choose File
  2. In the prompt that appears, select the metadata file you saved to your computer. Click Upload
  3. Click Update
  4. Copy the ACS URL and EntityId to your clipboard or somewhere handy
  5. Return to your Google SAML App setup
  6. On the Basic information for your Custom App page, enter the Application Name and Description
  1. Click Next
  2. On the Service Provider Details page, paste the ACS URL and the Entity ID
  3. Select the Signed Response check-box, and then click Next
  1. On the Attribute Mapping page, click Finish

Enrolling for an EAP-TLS Certificate with Google

Credential-based authentication is an outdated security measure when it comes to maintaining your network integrity. The EAP-TTLS/PAP protocol can leave your network open to potential threats as it sends your credentials in clear text, making it susceptible to over-the-air credential theft.

These threats can easily be deflected with the power and security of 802.1x digital certificates. Certificates are impossible to decrypt and eliminates the need to remember passwords, which is a win-win. To enroll for EAP-TLS certificates with SecureW2:

  1. Set up CAs in SW2 Management Portal
    • CAs serve as the central authority for certificates and as the hub where admins can determine what roles and policies will apply for their network.
  2. Add Google as IDP in SecureW2
    • Google can be configured as the IDP in SecureW2’s management portal.
  3. Go to Google Admin Console to Configure the SAML IDP
    • Once complete, the RADIUS server will be able to authenticate devices against Google.
  4. Configure Attribute Mapping
    • Admins can map attributes to certificates so they’ll have an easier time seeing who’s on the network.
  5. Configure network policies to be distributed
    • Once devices are properly configured, they can start requesting certificates.

Google RADIUS Setup

Certificate-based authentication (EAP-TLS) is the current industry standard for Wi-Fi due to the protection it provides against the growing risks of credential theft.. However, setting up the necessary PKI can be a daunting task and some may think it might not be worth implementing just for Wi-Fi.

SecureW2’s Cloud RADIUS and Managed Cloud PKI are a turnkey solution that can get your organization set up, into the cloud, and ready for EAP-TLS authentication in only a couple of hours. We can even integrate with your existing infrastructure to hasten the process.

Traditionally, RADIUS authentication using the EAP-TLS protocol talks to the Certificate Revocation List (CRL) to deny access to users who have a revoked certificate. However, this can lead to a brief moment of vulnerability. Say an IT admin forgets to revoke a certificate? Or maybe the CRL has a longer update interval. The revoked certificate may still be valid, and the user will still have free reign to connect to your network and become a potential threat to your network security.

Our new Dynamic Cloud RADIUS addresses this issue by using industry-first technology that allows the RADIUS to dynamically communicate with your directory as well as the CRL to make sure that only approved users can be authenticated and gain access to your network. For more info about our Dynamic Cloud RADIUS, click here.

SecureW2 Makes Google Integration Easy

With SecureW2, we can get your 802.1x WPA2-Enterprise network configured and ready in only a few hours with our world-class support team ready to assist you for any problems that arise. Check out our pricing here, and see how affordable our solutions are for all organizations of any size.


Learn About This Author

Kainoa Lee

Kainoa Lee is a recent graduate of Central Washington University that majored in Marketing. He works at SecureW2 as part of the marketing team and helps us with our analytics and website design. He was an accomplished sportsman and won state champion for his soccer league and enjoys cooking, drawing and video games in his freetime.