Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Configuring 802.1x Network Access with Google Workspace

Network visibility is one of the key factors that has a direct impact on your network security, especially with wireless networks. The greater the visibility, the more control you have over your network. Certificate-based authentication with a public key infrastructure (PKI) helps improve network visibility to a great degree. Digital certificates contain unique information about the client or the device that cannot be replicated or stolen and are signed by a reputed Certificate Authority, thus validating the client’s identity.

Effectively identifying user or device identity can help in segmenting the network users more efficiently, which ultimately leads to a well-structured and secure network. Combining certificate authentication with SAML(Security Assertion Markup Language) in Google Workspace will seamlessly segment users as they automatically enroll for network access.

During the configuration process, admins can assign attributes to your network users that denote user groups within your organization. Based on the user’s role, seniority, job function, or countless other factors, you can distribute countless use policies and network settings. The customization can be as simple or complex as required.

As a result, network users enroll once for network access and are authorized for the life of their certificate. It provides comprehensive visibility context concerning who is connected to the network and what they are browsing. For accurate reporting and a network organized around your policies, turn to certificate solutions for Google Workspace SAML.

Public Key Infrastructure (PKI) for Certificate-Based Authentication

PKI uses transport layer security protocol to facilitate communication between client and server at the time of authentication, an EAP protocol that is considered secure, while user authentication is done using an x.509 client certificate signed by a valid and reputed Certificate Authority, thus ensuring only authorized client or device is getting access to your network.

WPA-2 enterprise with EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is considered the most secure. There is the option to allow network connection only after successfully completing server certificate validation. Mutual authentication, or matching both the server and client certificates, makes this EAP authentication method almost impenetrable of all EAP methods.

Managing PKI can seem like a daunting task. However, SecureW2’s Managed PKI solutions, which are designed to work across operating systems, offer an easy-to-use graphical interface for viewing and managing your certificates from certificate issuance to revocation with just a push of a few buttons.  Our industry-exclusive Identity Lookup with LDAP & SAML Identity Providers allows user identity lookup in real-time at the time of authentication.

Integration Process Overview of WPA2-Enterprise With Google Workspace

Configuring a WPA2-enterprise environment with a Google Workspace service account can be a complicated task that requires a careful weaving of multiple complex components such as PKI, Certificate Authority, certificate enrollment and management system, and RADIUS EAP-TLS authentication to design the entire infrastructure. When properly configured, it enhances your network security by giving a network administrator much better network visibility with real time control over access management, making it the best security guard you can invest in for network security.

SecureW2’s solution is integrated with the Google Workspace SAML application, allowing a network administrator to easily connect users to the network while maintaining a high level of control. Digital certificates issued and managed using a PKI solution provide great network security infrastructure in a WPA-2 enterprise environment.

Below is the process overview for configuring WPA2-enterprise with the Google Workspace (G-Suite) SAML application.

  1. Add the SAML Identity Provider to SecureW2
  2. Configure the SAML IDP in Google Admin Console
    • The SAML Identity Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
  3. Configure Attribute Mapping
    • Set specific attributes to segment the network into groups based on their identity within the organization.
  4. Configure Network Policies to be Distributed
    • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments can access.

Prerequisites

  1. An active subscription to Google Admin Console with admin privileges.
  2. Access to create a Google Service Account.
  3. An active subscription to JoinNow Management Portal and JoinNow Cloud Connector.

Certificate Issuance Configuration

The following are the configurations for certificate issuance:

Creating a SAML Identity Provider in SecureW2

An identity provider (IDP) is the system that proves the identity of a user/device. Creating an IDP in SecureW2 tells the Cloud Connector system how to connect to your Google Workspace user database, verify user credentials, and issue certificates.

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.
  4. In the Basic section, enter the name of the IDP in the Name field.
  5. In the Description field, enter a suitable description for the IDP.
  6. From the Type drop-down list, select SAML.
  7. From the SAML Vendor drop-down list, select Google Apps.
  8. Click Save.

Now, SecureW2 Cloud Connector knows how to exchange information with your provider’s user database.

Creating a SAML Application in Google

The SAML application is a crucial connection between the IDP and SecureW2. The SAML application allows users to enter their credentials, which are then passed to the IDP for verification. The IDP verifies the user’s identity and then sends attributes to the SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application in Google:

  1. Log in to your Google Admin Console.
  2. From the menu, select Apps > Web and mobile apps.
  3. Click Add app and select Add custom SAML app.

  4. In the App name field, type a unique name for the app and click CONTINUE.

  5. Under Option 1, click the DOWNLOAD METADATA button and save the metadata file (.XML) on your computer. You need to import this metadata file to the JoinNow Management Portal.

  6. Click CONTINUE.
  7. In the JoinNow Management Portal, go to Identity Management > Identity Providers.
  8. On the Identity Providers page, click the Edit link for the newly added SAML application. 

  9. Click the Configuration tab. 
  10. In the Service Provider (SP) Info section, copy the ACS URL and Entity ID values to your clipboard.
  11. In the Identity Provider (IDP) Info section, for the Metadata field, click Choose File and select the metadata (.XML) file that you downloaded earlier from Google SAML Apps.

  12. Click Upload and then click Update.

  13. Go to Google SAML Apps, and on the Service Provider (SP) Info screen, add the ACS URL and Entity ID (obtained in step 10).
  14. Check the Signed response checkbox.
  15. From the Name ID format drop-down list, select EMAIL.
  16. From the Name ID drop-down list, select Basic information > Primary email.
  17. Click CONTINUE.

  18. Click Finish on the Attribute Mapping screen.

Configuring Attribute Mapping in Google

  1. On the Google Admin page, scroll down to Attribute Mapping.
  2. Click ADD MAPPING to configure the attributes to be encoded in the certificate.

    NOTE: Your directory will likely have a name and an email.
  3. From the Google Directory attributes drop-down list, under Basic Information, select Primary email.
  4. In the App attributes field, type Email.
  5. Click ADD MAPPING again.
  6. From the Google Directory attributes drop-down list, under Basic Information, select First name.
  7. In the App attributes field, type FirstName.

  8. Click  FINISH.

After Google identifies the users that are trying to connect, it sends their name and email to SecureW2, which SecureW2 populates in the certificates. The attributes that Google sends are populated in the variables in the certificates.

  1. In the JoinNow Management Portal, navigate to Identity Management > Identity Providers.
  2. Click the Edit link for the SAML application that you created earlier (refer to the Creating a SAML Identity Provider in SecureW2 section).

  3. Click the Attribute Mapping tab.

  4. Click Add.
  5. In the Local Attribute field, enter email as the name of the variable.
  6. From the Remote Attribute drop-down list, select Email.

  7. Click Next.
  8. Click Add.
  9. In the Local Attribute field, enter displayName as the variable’s name.
  10. From the Remote Attribute drop-down list, select User Defined. Enter FirstName in the field that appears next to the Remote Attribute field.

  11. Click Next.
  12. Click Add.
  13. In the Local Attribute field, enter upn as the name of the variable.

    NOTE:     When using digital certificates for eduroam authentication, the request includes the UPN, which contains the username and realm. This helps identify the user’s organization and ensures RADIUS requests are routed correctly.
  14. From the Remote Attribute drop-down list, select User Defined. Enter Email in the field that appears next to Remote Attribute field.

  15. Click Next.

  16. Click Update.

The attributes are now configured and you can view them under certificates. To do so:

  1. Navigate to PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click the Edit link for DEFAULT CERTIFICATE TEMPLATE 1.
  3. Under the Basic section, note that the displayName variable is encoded as Subject.
  4. Under SAN, note that the upn is encoded as Other Name, and email is encoded as RFC822.

Policy Management

SecureW2 PKI supports integration with Google Workspace using SAML to authenticate users and issue certificates based on policies configured in the JoinNow Management Portal. The following policy components must be set up: the Authentication Policy for SAML-based user authentication, the Policy Engine Workflow to categorize users and devices, and the Enrollment Policy to manage certificate issuance.

The Authentication Policy links the Identity Provider to the network profile and is required to authenticate users with the specified Identity Provider. The Policy Engine Workflow allows you to define and create roles based on attributes and groups retrieved from the Identity Provider. These roles can then be assigned a unique Enrollment Policy for certificate issuance and used to trigger a Network Policy.

Creating an Authentication Policy

An Authentication Policy can be created from the Authentication Policies page. If you’ve already set up an authentication policy through Getting Started, you can either edit it with the required values or create a new one.

To create a new Authentication Policy, perform the following steps:

  1. Navigate to Policy Management > Authentication Policies.
  2. On the Authentication Policies page, click Add Authentication Policy.
  3. In the Basic section, enter the name of the Authentication Policy in the Name field.
  4. In the Display Description field, enter a suitable description for the Authentication Policy.
  5. Click Save.
  6. Click the Conditions tab.
  7. In the Profile drop-down list, ensure that your network profile is selected.
  8. Click the Settings tab.
  9. From the Identity Provider drop-down list, select the IDP you created earlier (refer to the Creating a SAML Identity Provider in SecureW2 section).
  10. Select the Enable User Self Service checkbox.
  11. Click Update.

Creating a Policy Engine Workflow

To configure a Policy Engine Workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section, enter the name of the policy engine workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy engine workflow.
  5. Click Save.
  6. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the IDP that you created earlier (refer to the Creating a SAML Identity Provider in SecureW2 section).
  8. Click Update.

Creating an Enrollment Policy

Now, the lookup can be used before the certificate issuance as a dynamic check. To trigger the lookup during the certificate issuance, map the policy engine workflow (created in the Creating a Policy Engine Workflow section) in the enrollment policy created below:

  1. Navigate to Policy Management > Enrollment Policies.
  2. Click Add Enrollment Policy.
  3. In the Basic section, enter the name of the enrollment policy in the Name field.
  4. In the Display Description field, enter a suitable description for the enrollment policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs are displayed.
  7. Select the Conditions tab.
  8. In the Conditions section, from the Role list, select the policy engine workflow you created earlier (see the Creating a Policy Engine Workflow section).
  9. From the Device Role list, select DEFAULT DEVICE ROLE POLICY.
  10. Click Update.

Network Authentication Configuration

During the RADIUS EAP-TLS authentication, the user or device will present the 802.1X client certificate, and the RADIUS, as an authentication server, will verify the relevant information from the certificate against the existing users in the Identity Provider. If it matches the IDP and the certificate is not expired, or on the Certificate Revocation List (CRL), the user or device authentication is completed and is granted access to the network.

Now, we will create an Identity Lookup provider in SecureW2 to connect our Identity Provider service account to lookup users, in this case, Google Workspace, groups, and their devices.

The following are the configurations for network authentication:

Configuring Google

The following are the high-level steps required to configure Google IAM & Admin console for dynamic lookup with JoinNow:

  1. Creating a New Project
  2. Creating a Service Account and a JSON Key File
  3. Delegating Domain Wide Authority to Service Account from Google Admin Console
  4. Creating a User in Google Admin Console
  5. Creating a Role with Read-only Access

Creating a New Project

The Google Service Account must be created in the IAM & Admin console. Log into the Google IAM & Admin console using the link here.

To create a new project in the Google service account:

  1. Log in to the Google Service Account.
  2. Click the Select a Project drop-down list at the top of the page.
  3. Click NEW PROJECT.
  4. On the New Project page, enter a name for the project in the Project name field.
  5. From the Organization drop-down list, select the required organization for the project.
  6. From the Location drop-down list, select the parent organization.
  7. Click Create.

Creating a Service Account and a JSON Key File

JoinNow needs a Google Service Account to authorize communication with Google to do a lookup operation on behalf of the service account. To create a Service Account in Google:

  1. From the left menu pane, click Service Accounts.
  2. Click + CREATE SERVICE ACCOUNT.
  3. In the Service account name field, enter a name for your service account. By default, the service account name entered previously is automatically used as the Service account ID. You can either use this default name or enter a new one.
  4. Click CREATE AND CONTINUE.
  5. Click DONE. The required service account will be created.
  6. Click on the recently created service account link.
  7. On the service_account_lookup page, click the KEYS tab.
  8. From the ADD KEY drop-down list, select Create new Key.
  9. In the Create private key pop-up, select Key type as JSON.
  10. Click CREATE. The JSON file will be downloaded to the device.
  11. Click CLOSE.

Delegating Domain Wide Authority to Service Account from Google Admin Console

Delegating domain wide authority helps administrators of the organization to authorize the service account to access user data required for lookup. Admins can delegate access to a service account from their Google Admin console.

To delegate domain wide authority:

  1. Log in to the Google admin console.
  2. Navigate to Security > Access and data controls > API controls.
  3. In the Domain wide delegation section, click MANAGE DOMAIN WIDE DELEGATION.
  4. Click Add new. A pop-up to add client ID will appear.
  5. Navigate back to your Google Service Account. Go to the Service Accounts tab and click on the service account created in Creating A Service Account and a JSON Key File section. Copy the Unique ID displayed under the DETAILS tab.

    Paste the value in the Client ID field.
  6. In the OAuth scopes field, enter https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,openid
  7. Click Authorize.

Creating a User in Google Admin Console

Google mandates the creation of a user for the access of information from the service account. To create a user in the Google Admin console:

  1. Navigate to Directory > Users.
  2. Click Add new user. The Add new user form opens.
  3. In the First name field, enter the first name of the user.
  4. In the Last name field, enter the last name of the user.
  5. In the Primary email field, enter the organizational email of the user.
  6. Click ADD NEW USER.

Creating a Role with Read-Only Access

A role with read-only access privileges should be assigned to the created user. 

To create a role:

  1. Navigate to Accounts > Admin Roles.
  2. Click Create new role. The Create role page opens.
  3. In the Role info tab, for the Name field, enter a name for the role.
  4. In the Description field, enter a description for the role.
  5. Click Continue.
  6. In the Select Privileges tab, select the following access privileges:
    1. Admin console privileges: Chrome Management > Settings > Manage ChromeOS Devices > Read
    2. Admin API privileges:
      1. Users > Read
      2. Groups > Read
  7. Click CONTINUE. Review the privileges assigned and click DONE.
  8. Navigate to Users and select the user created in Creating a User in Google Admin Console section.
  9. Click ASSIGN ROLES.
  10. Assign the created role with read-only privileges to the user.
  11. Click SAVE.

Configuring JoinNow

The following are the high-level steps to configure JoinNow for Google Identity Lookup.

Creating an Intermediate CA for Google Workspace Integration

SecureW2 recommends the use of an Intermediate CA for Google lookup as a best practice for easy identification and management of your CAs.

To create a new intermediate CA:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to PKI > Certificate Authorities.
  3. Click Add Certificate Authority.
  4. In the Basic section, from the Generate CA For drop-down list, select the Device and User Authentication option to authenticate devices and users.
  5. From the Type drop-down list, select Intermediate CA.
  6. From the Certificate Authority drop-down list, select the default Root CA that comes with your organization.
  7. In the Common Name field, enter a common name for the CA certificate. SecureW2 recommends a name that includes “SCEP.”
  8. From the Key Size drop-down list, select 2048 for the CA certificate key pair.
  9. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  10. In the Validity Period (in years) field, enter the validity period of the CA certificate.
  11. In the Notifications section:
    1. From the Expiry Notification Frequency (in days) drop-down list, select the frequency interval for which a certificate expiration notification should be sent to users.
    2. Select the Notify user on successful Enrollment checkbox to notify users after a successful enrollment.
  12. In the Revocation section:
    1. In the Revoke Certificate if unused for field, select the number of days after which an unused certificate can be revoked.
    2. From the Reason Code drop-down list, select any one of the following reasons for which the certificate is revoked.
      1. Certificate Hold
      2. AA Compromise
      3. Privilege Withdrawn
      4. Unspecified
  13. Click Save.

Creating a Certificate Template

A certificate template determines how information is encoded in the certificate to be issued by the Certificate Authority. It will consist of a list of certificate attributes and how the information must be encoded in the attribute values. This information is provided by the organization administrator using the JoinNow Management Portal.

SecureW2 recommends creating multiple templates based on your business requirements to easily identify the different values being passed.

To create a Certificate Template for Google lookup:

  1. Navigate to PKI > Certificate Authorities.
  2. Scroll to the Certificate Templates section and click Add Certificate Template.
  3. In the Basic section, for the Name field, enter the name of the certificate template.
  4. In the Subject field, retain the default values hardcoded in the certificate template.
  5. In the Display Description field, enter a suitable description for the certificate template.
  6. In the Validity Period field, type the validity period of the certificate (based on the requirement).
  7. From the Signature Algorithm drop-down list, select SHA-256 as the signature algorithm for the certificate signing request.
  8. In the SAN section, for Other Name, RFC822, DNS, and URI fields, retain the default values provided in the certificate.
  9. Click Save.

Creating a Google Workspace Identity Lookup Provider

Before the certificate issuance and during the RADIUS authentication process, the Identity Lookup feature validates that a device/user is active within the organization by checking the identifying information against the existing accounts in the Identity Provider.

To create an Identity Lookup Provider, perform the following steps:

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. In the Basic section, enter the name of the IDP in the Name field.
  4. In the Description field, enter a suitable description for the IDP.
  5. From the Type drop-down list, select Google Workspace Identity Lookup.
  6. Click Save.
  7. The page refreshes, and the Configuration, Attribute Mapping, and Groups tabs appear.
  8. Under the Configuration tab, provide the following information:
    1. In the Service Account Key File field, click Choose file. Select the JSON Key file created in the Creating a Service Account and a JSON Key File section and upload the file.
    2. In the Delegated Domain Authority Email field, enter the primary email for the user in the Creating a User in the Google Admin Console section.
    3. Click Validate to check the validity of the primary email entered.
  9. Under the Attribute Mapping tab:
    1. Click Add.
    2. In the Local Attribute field, enter the name of the attribute that corresponds with the Remote Attribute. This is used during Policy Configuration.
    3. In the Remote Attribute drop-down list, select the Google attributes configured for user and group attributes. If the Google attributes are unavailable in the default values, select the User Defined option and enter the exact attribute name configured in Google.
    4. Click Next.
    5. Repeat steps a – d to add the required attributes.
    6. Click Update.
  10. Navigate to the Groups tab.
    1. Click Add.
    2. In the Local Group field, enter a name for the group. This group name can be used to configure the Network Policies.
    3. In the Remote Group field, enter the name of your group as it is configured in the Google Workspace.
    4. Click Create.
    5. Repeat as necessary for any group you wish to create Network Policies around.
    6. Click Update.

Configuring Policies

SecureW2 policies allows the organization administrators to segment users and restrict/allow resources based on information stored in their directory entry. Since enforcement occurs at runtime, changes made to a user’s permissions are propagated immediately rather than a day or two later, as is typical with most RADIUS servers.

Creating an Account Lookup Policy

Lookup Policies are how we tie the new Identity Lookup Provider to domains. Here, you create a condition that ties your domain to the new Identity Lookup Provider you created in the previous section.

  1. Navigate to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. In the Basic section, enter the name of the Account Lookup Policy in the Name field.
  4. In the Display Description field, enter a suitable description for the Account Lookup Policy.
  5. Click Save.
  6. The page refreshes, and the Conditions and Settings tabs appear.
  7. Click the Conditions tab.
  8. From the Identity drop-down list, select an option from the following:
    • Username
    • Certificate-CommonName
    • Certificate-SAN-UPN
    • Certificate-SAN-Email
  9. In the Regex field, enter the value you want to match.
  10. Under the Settings tab, from the Identity Provider Lookup drop-down list, select the Google Workspace Identity Lookup you created in the Creating a Google Workspace Identity Lookup Provider section.
  11. From the Lookup Type drop-down, select the lookup type:
    1. Auto – The system automatically uses identity as the Lookup attribute.
    2. Custom – The Identity drop-down list is displayed. Select a device or user identity for lookup.
      1. The user identities are:
        • Username
        • Certificate-CommonName
        • Certificate-SAN-UPN
        • Certificate-SAN-Email
      2. The device identities are:
        • Certificate-SAN-DNS
        • Client ID
        • Computer Identity
  12. From the Identity drop-down, select the Identity attribute mapped for lookup.
  13. Lookup Purpose – Purpose of Account Lookup
    1. Certificate Issuance – To lookup the user/device account during Enrollment.
    2. RADIUS Authentication – To lookup the user/device account during RADIUS Authentication.
  14. Select the Revoke On Failure checkbox to automatically revoke a certificate if an account lookup fails, if necessary.
  15. Click the Validate Configuration button to check if the lookup is valid.
  16. On the Validate Configuration pop-up window, in the Enter a valid identity field, enter the identity (user/device) to validate the lookup, and click Validate.
  17. After the successful validation, the associated attributes and groups of the Identity Provider Lookup are displayed on the Lookup Details prompt. The admin can use this information to configure the network policies and verify the user’s validity.

    NOTE: When the Admin enters an invalid identity on the Validate Configuration pop-up window, the following error message is displayed: “Account lookup failed.”


  18. Click Update.
Creating a Policy Engine Workflow

To create a policy engine workflow, perform the following steps:

  1. Navigate to Policy Management > Policy Engine Workflows.
  2. Click Add Policy Engine Workflows.
  3. In the Basic section, enter the name of the Policy Engine Workflow in the Name field.
  4. In the Display Description field, enter a suitable description for the policy engine workflow.
  5. Click Save.
  6. The page refreshes, and the Conditions tab is displayed.
  7. Click the Conditions tab.
  8. From the Identity Provider drop-down list, select the Identity Provider you created in the Creating a Google Workspace Identity Lookup Provider section.
  9. In the Attributes section, click + Add Attribute.
  10. From the Attribute drop-down list, select the required attribute for Lookup.
  11. In the Groups box, select the required group to assign a network policy.


  12. Click Update.
Creating a Network Policy

Like the check during certificate issuance, Lookup can be used before the RADIUS Authentication as a dynamic check. To trigger the lookup during the RADIUS Authentication, map the policy engine workflow (created in the Creating a Policy Engine Workflow section) in the Network Policy created below:

  1. Navigate to Policy Management > Network Policies.
  2. On the Network Policies page, click Add Network Policy.
  3. Under the Basic section, in the Name field, enter the name of the network policy.
  4. In the Display Description field, enter a suitable description for the network policy.
  5. Click Save.
  6. Click the Conditions tab.
  7. Click Add rule and select the role you want to assign to this network policy. It is essential to select the appropriate role, as the network policy is triggered by the role policy. SecureW2 offers various rules that you can select based on the business requirements.



    NOTE: You can assign a network policy to multiple Policy Engine Workflows.
  8. Click the Settings tab.
    1. Click Add Attribute.
    2. From the Dictionary drop-down list, select an option: Radius: IETF or Custom.
    3. From the Attribute drop-down list, select an option.
    4. In the Value field, enter the appropriate value for the attribute.
    5. Click Save.
  9. Click Update.

After successful network authentication, the configured attributes are applied to the device via the controller, and the device is then assigned to the appropriate VLANs based on the configuration.

Google Certificate Enrollment With Cloud RADIUS/Automate Certificate Enrollment With Cloud RADIUS

The connection of the SecureW2 network and a Google Workspace SAML application creates solutions for network administrators by achieving the goal of easily connecting users to the network and offering a higher level of control. Users must complete the onboarding process once to automatically enroll for certificates for uninterrupted connection, whereas, in the past, it would be a manual effort that would divert countless resources. Administrators can also differentiate between groups and ensure that everyone in the organization has access to the connections they need.

The WPA2-enterprise network, with EAP-TLS authentication, uses PKI for certificate-based authentication using a pair of public and private keys. What makes it secure is that the private key is always stored in the device, and the public key is issued as a digital certificate with a reputed Certificate Authority signing the certificate. Authentication is considered complete only when the public and private key matches.

SecureW2’s Managed PKI (Public Key Infrastructure) solution simplifies certificate management that includes a Hardware Security Module (HSM) to protect the PKI and ensures that every certificate issued can be trusted. Create custom certificate templates and design certificate issuance and enrollment policies to improve network visibility and enhance network security. Our industry best support team can also assist you any time you need help with this process.

If you’re interested in learning more about the advantages your IT department can experience by using Google Cloud with SecureW2 solutions, contact us, and we’d be happy to set up a free trial. Click here to get a pricing estimate for this cost-effective solution.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing