Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Configuring Certificate-Based Authentication with OneLogin

Introduction

This document is intended to guide you through a basic setup of SecureW2, using OneLogin as an Identity Provider. This setup is intended for customers who want to achieve the following technical solutions:

  • Distribute certificates for wireless LAN authentication to BYOD or company-managed terminals that are not subject to MDM management.
  • Distribute certificates using OneLogin for authentication.

The diagram above shows both the end-user flow of the solution (in numbers) and areas of configuration (in letters), which are elaborated in detail below.

End User Flow

  1. End user requests SecureW2 to issue a certificate.
  2. SecureW2 delegates authentication to OneLogin and end users authenticate with OneLogin.
  3. Upon successful authentication, the user’s identification information is sent to SecureW2.
  4. SecureW2 issues client certificates with the received information and distributes them to end users.
  5. End users connect to the wireless LAN with the certificate they received.

Areas of Configuration

  1. Integrating SAML Between OneLogin and SecureW2
  2. Configuring a SecureW2 Network Profile and Policies
  3. Configuring SecureW2 RADIUS as an Authentication Server

Prerequisites

The following prerequisites are:

  • SecureW2 administrator account
  • OneLogin administrator account
  • Cisco Meraki wireless equipment

Integrating SAML Between OneLogin and SecureW2

SecureW2 and OneLogin need to be linked through SAML. This enables SecureW2 to use information authenticated by OneLogin. This section corresponds to [B] in the configuration diagram shown at the beginning.

The procedure is as follows:

  1. Log in to OneLogin as an administrator and click Applications > Applications > Add App.
  2. In the search field, enter SecureW2 and select the SAML 2.0 app connector.
  3. Disable Visible in portal and click Save (at the upper-right corner).
  4. The page will refresh. At the top-right corner, from the More Actions drop-down menu, select SAML Metadata and download it. This is required later.
  5. Go to the JoinNow Management Portal and click Identity Management > Identity Providers > Add Identity Provider.
    1. In the Name field, enter a name for the IdP.
    2. From the Type drop-down list, select SAML.
    3. From the SAML Vendor drop-down list, select OneLogin.
    4. Click Save.
  6. Click the Configuration tab.
    1. Copy the ACS URL and Entity ID to your console.
    2. In the Identity Provider (IDP) Info section, click Choose File and select the OneLogin metadata file downloaded in step 4.
  7. Click Upload and then click Update.
  8. Click the Attribute Mapping tab and click Add.
  9. In the Local Attribute field, provide a name to identify the attribute locally.
  10. In the Remote Attribute field, choose the user attribute received from the IdP. This is mapped to the local attribute.
  11. Click Next.
  12. Repeat steps 9 and 10 as required. (Email, Display Name, and UPN attributes are required for SAML authentication) and click Update.
  13. Navigate to General > Organization and in the Basic section, copy the Domain Name and Organization Identifier to your console.
  14. In the OneLogin portal, navigate to the SecureW2 App Configuration screen, and on the left pane, click Configuration.
    1. In the Organization Identifier field, enter the Organization Identifier value obtained from the SecureW2 Portal.
    2. In the Organization Domain Name field, enter the Domain Name value obtained from the SecureW2 Portal.
    3. Click Save in the upper-right corner.
  15. On the left pane, select Parameters.
    1. For the Credentials are field, select the Configured by admin option.
    2. Click the + icon on the right side to add the required fields for SAML authentication (Email, UPN, Display Name).
    3. On the displayed screen, in the Field name textbox, enter the attribute mapping value obtained from the JoinNow Management Portal and click Save.
    4. From the Value drop-down list, select:
      1. Email for UPN
      2. Email for Email
      3. {firstname} {lastname} for displayName
    5. Click Save.
    6. Repeat the steps b-e to add the required attributes.
    7. Click Save.
  16. From the Menu bar, select Users. A list of users is displayed.
    1. Select a user.
    2. On the displayed screen, on the left-side pane, click Applications.
    3. From the Roles column, select a role and click the + icon in the Applications column to add an application.
    4. On the displayed screen, from the Select application drop-down list, select the SAML app you created.
    5. Click Continue.
    6. On the displayed screen, click Save.
    7. Click Save User at the top-right corner of the page.
    8. Repeat steps a – f to add the required users to the application.

This completes the SAML integration with OneLogin and SecureW2.

Configuring a SecureW2 Network Profile and Policies

Here, we create a Network profile and configure policies in SecureW2. The Network profile is used to configure devices for certificate-based authentication, and the policies are used to dynamically distribute access to our users/groups. This section corresponds to [A] in the configuration diagram at the beginning.

2.1 Creating a Network Profile

In this section, a network profile is created and published. Distributing this network profile to end users causes the device to store the certificate.

Before the Network profile is published, you need to create an Authentication policy. This is to define the IdP used to authenticate users when downloading a specific Network profile.

2.1.1 Creating a Network Profile with Getting Started

  1. Navigate to Device Onboarding > Getting Started.
  2. From the Profile Type drop-down list, select a network type.
  3. In the SSID text box, enter an SSID name.
  4. From the Security Type drop-down list, select WPA2-Enterprise.
  5. From the EAP Method drop-down list, select EAP-TLS.
  6. From the Policy drop-down list, retain DEFAULT.
  7. From the Wireless Vendor drop-down list, select a vendor.
  8. From the RADIUS Vendor drop-down list, select a RADIUS vendor.
  9. Click Create. It takes 60-90 seconds for the process to complete.

2.2 Policy Management

The SecureW2 Policy Engine allows us to create incredibly complex and automated Zero Trust policies for certificate and network management. In this section, we will create a Role policy for our OneLogin users. Then, we will create Authentication, Enrollment, and Network policies.

2.2.1 Roles Policy

In SecureW2, you can create a Role policy for users with particular attributes, or for groups, from a specific IdP. This Role policy can then be used in Network and Enrollment policies. Here, we create a Role policy that is specific to our OneLogin users.

  1. Go to Policy Management > Roles Policies and click Add Role.
  2. On the displayed page, enter the name and description of the Role policy and click Save.
  3. Click the Conditions tab.
  4. From the Identity Provider drop-down list, select the IdP created earlier.
  5. Click Update.

2.2.2 Authentication Policy

The Authentication policy is what ties the IdP to the Network profile. Here, the newly created network profile uses the OneLogin IdP to enroll users for certificates and onboard them to the network.

  1. Go to Policy Management > Authentication Policies
  2. On the Authentication Policies page, click the Edit link for your Network profile’s authentication policy.
  3. Click the Conditions tab and make sure that your Network profile is displayed in the Profile field.
  4. Click the Settings tab. In the Settings section, from the Identity Provider drop-down list, select the IdP you created earlier.
  5. Check the Enable User Self Service checkbox, if required.
  6. Click Update.

2.2.3 Enrollment Policy

Enrollment policies are used to specify which Certificate Authority (CA), Certificate Template, and other related settings are used during the enrollment process for a particular Role policy. Here, we create a basic policy that allows us to enroll certificates to our OneLogin users.

  1. Go to Policy Management > Enrollment Policies and click Add Enrollment Policy.
  2. On the displayed page, enter the name and description of the Enrollment policy, in the corresponding fields.
  3. Click Save.
  4. The Conditions and Settings tabs are displayed.
  5. Click the Conditions tab and from the Role and Device Role drop-down lists, select the policies.
  6. Click Update.
  7. Click the Settings tab and enter the Use Certificate Authority, Use Certificate Template, and Revoke Certificate attributes, and click Update.

2.2.4 Network Policy

The Network policy defines user access levels (acceptance conditions). The conditions include the Role attribute obtained from the RADIUS client, the Device Role attribute, and information obtained from the device during certificate registration.

  1. Go to Policy Management > Network Policies and click Add Network Policy.
  2. On the displayed page, enter the name and description of the Network policy and click Save.
  3. The Conditions and Settings tabs are displayed.
  4. Click Add rule and on the displayed page, select a rule or multiple rules as required and then click Save.
  5. On the displayed page, from the drop-down list (on the right side of the Role column), select the Role you created (e.g., OneLogin Role), and then click Update.

With the above configuration, end users can now connect to the wireless LAN with the certificate downloaded from SecureW2.

Configuring SecureW2 RADIUS as an Authentication Server for Cisco Meraki

This section describes the steps to configure SecureW2’s CloudRADIUS as an authentication server for Cisco Meraki. CloudRADIUS can be configured with any infrastructure, but due to Meraki’s popularity, it is shown as an example for this guide.

This configuration corresponds to [C] in the configuration diagram shown at the beginning.

In this configuration, you create a secure SSID (Cisco Meraki) to be accessed by end users. Only the devices that have obtained a certificate from SecureW2 will be able to pass authentication and connect to that SSID. Authentication is performed by SecureW2’s CloudRADIUS.

  1. Log in to the Meraki administration page, activate an unused SSID from the SSID list page, and give it a name. ( e.g. SecureW2_test ). Once configured, click Save at the lower-right corner.

  2. Go to Wireless > Access Control.
  3. Make sure that the appropriate SSID is selected and set the connection conditions, WPA encryption mode, and Splash page.
  4. Scroll down the page to where you register the RADIUS server information to be used, and click Add a Server twice.
  5. On the JoinNow Management Portal, go to RADIUS > RADIUS Configuration and copy the Primary IP Address, Secondary IP Address, Port, and Shared Secret values to your console.
  6. Configure the IP address and traffic, IP assignment to client, override by RADIUS response.
  7. Click Save Changes.

With the above settings, you can now configure the connection authentication to Cisco Meraki to query SecureW2’s RADIUS server.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing