Configuring WPA2-Enterprise With Google Workspace SAML Authentication

Effectively identifying and segmenting network users is vital to network security and a boost to the overall user experience. Combining certificate authentication with SAML in Google Workspace will seamlessly segment users as they enroll for network access.

During the configuration process, admins can assign attributes to your network users that denote user groups within your organization. Based on the user’s role, seniority, job function, or countless other factors, you can distribute countless use policies and network settings. The customization can be as simple or complex as required.

As a result, network users enroll once for network access and are authorized for the life of their certificate. IT is provided comprehensive visibility context concerning who is connected to the network and what they are browsing. For accurate reporting and a network organized around your policies, turn to certificate solutions for Google Workspace SAML.

Integration Process Overview

  1. Add the SAML Identity Provider to SecureW2
  2. Configure the SAML IDP in Google Admin Console
    • The SAML Identity Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
  3. Configure Attribute Mapping
    • Set specific attributes to segment the network into groups based on their identity within the organization.
  4. Configure Network Policies to be Distributed
    • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments are able to access.

Getting Started

The Getting Started Wizard creates everything you need for 802.1x. It will generate a RADIUS Server, Network Profiles, a Landing Page for Device Onboarding, and all the default network settings you will need for 802.1x.

NOTE: If you have already configured SecureW2 for your network, you may skip this step.

  1. Navigate to Device Onboarding > Getting started.
  2. Configure the settings as shown in the following screen.
  3. Keep all the settings the same, except the following:
    a. SSID: Change this to the SSID name you wish to authenticate users with.
    b. Wireless Vendor: Change this to your Wireless Infrastructure Vendor.
  4. The Getting Started wizard typically takes 60-90 seconds to create everything required, so please be patient before moving on to the next steps.

Create an Identity Lookup Provider

During the RADIUS authentication process, Identity Lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider. Here we will create an Identity Lookup provider in SecureW2 so we can connect our Identity Provider to lookup users, groups and their devices.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. Enter the Name and Description in the respective fields.
  4. Select Type as Identity Lookup Provider: GSuite Identity Provider.
  5. Click Save. The page refreshes and the Configuration, Attribute Mapping, and Groups tabs appear.
  6. Under the Configuration tab provide the following information:
    • In Client ID, enter the client ID that you retrieved from Google Workspace.
    • In Client Secret, enter the client secret you generated in Google Workspace and saved in a secure place.
      • NOTE: After updating the Identity Provider, this secret will not be retrievable. Therefore, make sure this is saved in a secure place.
    • Click Update.
  7. Click Authorize on your new GSuite Identity Lookup. This will test the connection between SecureW2 and Google Workspace.

Adding Attributes

To add a custom attribute to the IDP, perform the following steps:

  1. In the Attribute Mapping tab, click Add. The following screen appears.
  2. In Local Attribute, enter a name for the attribute. This will just be how your attribute will be referred to in the Management Portal. You can name it anything you wish. In Default field, enter a description of the attribute.
  3. In the Remote Attribute field, select USER_DEFINED. Enter the value you want SecureW2 to receive from Google.
    • NOTE: UPN is a mandatory attribute, so make sure you at least have one attribute that contains UPN in the Remote Attribute field.
  4. Click Next to create the custom attribute with the appropriate mapping.
  5. Repeat the steps if you want to create more attributes.

Configuring Groups

Cloud RADIUS can perform a User Group Lookup so we can create network access policies based off of the Groups a user is in. The process is the same as how you added attributes in the previous section.

  1. Under the Groups tab, click Add.
    • Create any name for Local Group. This name will be what shows up later as your Group in the SecureW2 Management Portal when you configure policies.
    • In Remote Group enter the name of your Group as it is configured in Google Workspace.
    • Click Create.
  2. Click Update.
  3. Repeat as necessary for any Group you wish to create Network Policies around.

Configure WPA2-Enterprise Network Policy Settings

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role.

A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”.

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept. To create and configure the Network Policy, follow the steps below:

  1. Navigate to Policy Management > Network.
  2. Click Add Network Policy.
  3. Enter a Name.
  4. Click Save.
  5. Under the Conditions tab, select the User Role you want assigned this Network Policy to.
    • You can select multiple User Roles to assign a Network Policy to.
  6. Under the Settings tab, click Add Attribute.
    • Select the Attribute you wish to send to the wireless controller.
    • In Value, enter the appropriate value for your attribute.
    • Click Update.
      • Repeat as necessary for all the attributes you want to send for your User Role.

The connection of the SecureW2 network and a Google Workspace SAML application create solutions for network administrators by achieving the goal of easily connecting users to the network and offering a higher level of control. Users have to complete the onboarding process once for uninterrupted connection, whereas in the past it would be a manual effort that would divert countless resources. Administrators can also differentiate between groups and ensure that everyone in the organization has access to the connections they need.

If you’re interested in learning more about the advantages your IT department can experience, contact us and we’d be happy to set up a free trial. Or click here to get a pricing estimate for this cost-effective solution.

Google and Google Workspace are either registered trademarks or trademarks of Google, Inc. in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.