Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!
Branding
Branding Branding
Login Check our Prices

Configuring 802.1x Network Access with Google Workspace

Network visibility is one of the key factors that have a direct impact on your network security, especially with wireless networks. The greater the visibility, the more control you have over your network. Certificate-based authentication with a public key infrastructure (PKI) helps improve network visibility to a great degree. Digital certificates contain unique information about the client or the device that cannot be replicated or stolen and are signed by a reputed Certificate Authority, thus validating the client’s identity. 

Effectively identifying user or device identity can help in segmenting the network users more efficiently, which ultimately leads to a well-structured and secure network. Combining certificate authentication with SAML(Security Assertion Markup Language) in Google Workspace will seamlessly segment users as they automatically enroll for network access.

During the configuration process, admins can assign attributes to your network users that denote user groups within your organization. Based on the user’s role, seniority, job function, or countless other factors, you can distribute countless use policies and network settings. The customization can be as simple or complex as required.

As a result, network users enroll once for network access and are authorized for the life of their certificate. IT is provided comprehensive visibility context concerning who is connected to the network and what they are browsing. For accurate reporting and a network organized around your policies, turn to certificate solutions for Google Workspace SAML.

Public Key Infrastructure (PKI) for Certificate-Based Authentication

PKI uses transport layer security protocol to facilitate communication between client and server at the time of authentication, an EAP protocol that is considered secure, while user authentication is done using an x.509 client certificate signed by a valid and reputed Certificate Authority, thus ensuring only authorized client or device is getting access to your network.

WPA-2 enterprise with EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is considered the most secure. There is the option to allow network connection only after successfully completing server certificate validation. Mutual authentication, or matching both the server and client certificates, makes this EAP authentication method almost impenetrable of all EAP methods.

Managing PKI can seem like a daunting task. However, SecureW2’s Managed PKI solutions, which are designed to work across operating systems, offer an easy-to-use graphical interface for viewing and managing your certificates from certificate issuance to revocation with just a push of a few buttons.  Our industry-exclusive Identity Lookup with LDAP & SAML Identity Providers allows user identity lookup in real-time at the time of authentication.

Integration Process Overview of WPA2-Enterprise With Google Workspace

Configuring a WPA2-enterprise environment with a Google Workspace service account can be a complicated task that requires a careful weaving of multiple complex components such as PKI, Certificate Authority, certificate enrollment and management system, and RADIUS EAP-TLS authentication to design the entire infrastructure.  When properly configured, it enhances your network security by giving a network administrator much better network visibility with real-time control over access management, making it the best security guard you can invest in for network security.

SecureW2’s solution is integrated with the Google Workspace SAML application, allowing a network administrator to easily connect users to the network while maintaining a high level of control. Digital certificates issued and managed using a PKI solution provide great network security infrastructure in a WPA-2 enterprise environment.

Below is the process overview for configuring WPA2-enterprise with the Google Workspace (G-Suite) SAML application.

  1. Add the SAML Identity Provider to SecureW2
  2. Configure the SAML IDP in Google Admin Console
    • The SAML Identity Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
  3. Configure Attribute Mapping
    • Set specific attributes to segment the network into groups based on their identity within the organization.
  4. Configure Network Policies to be Distributed
    • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments are able to access.

Configuring WPA2-Enterprise With With Google Workspace in SecureW2

Create an IDP in SecureW2

  1. Log in to the JoinNow Management Portal.
  2. Go to Identity Management > Identity Providers.

  3. Click Add Identity Provider.
  4. In the Basic section, type the Name and Description of the IDP.
  5. From the Type drop-down list, select SAML.
  6. From the SAML Vendor drop-down list, select Google Apps.

  7. Click Save.

Now, SecureW2 Cloud Connector knows how to exchange information with your provider’s user database.

Create a SAML Application in Google

The SAML application is a crucial connection between the IDP and SecureW2. The SAML application allows a user to enter their credentials, which are then passed to the IDP for verification. The IDP verifies the user’s identity and then sends attributes to the SAML application, which then passes the attributes to SecureW2 for certificate issuance.

To create a SAML application in Google:

  1. Log in to your Google Admin Console.
  2. From the menu, select Apps > Web and mobile apps.
  3. Click Add app and select Add custom SAML app.

  4. In the App name field, type a unique name for the app and click CONTINUE.

  5. Under Option 1, click the DOWNLOAD METADATA button and save the metadata file (.XML) on your computer. You need to import this metadata file to the JoinNow Management Portal.

  6. Click CONTINUE.
  7. In the JoinNow Management Portal, go to Identity Management > Identity Providers.

  8. On the Identity Providers page, click the Edit link for the newly added SAML application. The following screen is displayed.

  9. Click the Configuration tab. The following screen is displayed.

  10. In the Service Provider (SP) Info section, copy the ACS URL and Entity ID values to your clipboard.
  11. In the Identity Provider (IDP) Info section, for the Metadata field, click Choose File and select the metadata (.XML) file that you downloaded earlier from Google SAML Apps.

  12. Click Upload and then click Update.
  13. Go to Google SAML Apps and on the Service provider details screen, add the ACS URL and Entity ID (obtained in step 10).
  14. Check the Signed response checkbox.
  15. From the Name ID format drop-down list, select EMAIL.
  16. From the Name ID drop-down list, select Basic information > Primary email.
  17. Click CONTINUE.

  18. Click Finish on the Attribute Mapping screen.

Configure Attribute Mapping

  1. On the Google Admin page, scroll down to Attribute Mapping.
  2. Click ADD MAPPING to configure the attributes to be encoded in the certificate.
    NOTE: It is likely that your directory will have a name and an email.
  3. From the Google Directory attributes drop-down list, under Basic Information, select Primary email.
  4. In the App attributes field, type Email.
  5. Click ADD MAPPING again.
  6. From the Google Directory attributes drop-down list, under Basic Information, select First name.
  7. In the App attributes field, type FirstName.

  8. Click  FINISH.

After Google identifies the users that are trying to connect, it sends their name and email to SecureW2, which SecureW2 populates in the certificates. The attributes that Google sends are populated in the variables in the certificates.

  1. In the JoinNow Management Portal, navigate to Identity Management > Identity Providers.
  2. Click the Edit link for the SAML application that you created earlier. The following screen is displayed.

  3. Click the Attribute Mapping tab. The following screen is displayed.

  4. Click Add.
  5. In the Local Attribute field, enter email as the name of the variable.
  6. From the Remote Attribute drop-down list, select the User Defined. Enter Email in the field that appears next to the Remote Attribute field.

  7. Click Next.
  8. Click Add.
  9. In the Local Attribute field, enter displayName as the name of the variable.
  10. From the Remote Attribute drop-down list, select User Defined. Enter FirstName in the field that appears next to the Remote Attribute field.

  11. Click Next.
  12. Click Add.
  13. In the Local Attribute field, enter upn as the name of the variable.

    NOTE    : User Principal Name (upn) is the first thing that is authenticated against in the RADIUS server. This is useful when a user connects to your network and wants to use eduroam because then it can find the name of the university in the email address.
  14. From the Remote Attribute drop-down list, select User Defined. Enter Email in the field that appears next to Remote Attribute field.

  15. Click Next.
  16. Click Update.

The attributes are now configured and you can view them under certificates. To do so:

  1. Go to PKI > Certificate Authorities.
  2. In the Certificates Templates page, click the Edit link for DEFAULT CERTIFICATE TEMPLATE 1. The following screen is displayed.

  3. Under the Basic section, note that the displayName variable is encoded as Subject.
  4. Under SAN, note that the upn is encoded as Other Name and email is encoded as RFC822.

Configure Policies in SecureW2

  1. Go to Device Onboarding > Getting Started.
  2. In the SSID field, type a SSID name.
  3. From the Security Type drop-down list, select WPA2-Enterprise.
  4. From the EAP Method drop-down list, select EAP-TLS.
  5. In the Policy drop-down field, retain DEFAULT.
  6. From the Wireless Vendor drop-down list, select a vendor.
  7. From the RADIUS Vendor drop-down list, select a RADIUS vendor

  8. Click Create. It takes around 60-90 seconds for the process to complete.
  9. Go to Policy Management > Authentication Policies. The authentication policies for the network profiles are displayed.
  10. Click the Edit link for your network profile’s authentication policy.
  11. Select the Conditions tab and ensure that your network profile is selected.
  12. Select the Settings tab and ensure that the selected IDP is the one you created earlier.
  13. Select the Enable User Self Service checkbox.

  14. Click Update.
  15. Go to Policy Management > Roles Policies.
  16. Click the Edit link for the DEFAULT ROLE POLICY 1 that was created.
  17. Select the Conditions tab, from the Identity Provider drop-down list, select the IDP that you created earlier.

  18. Click Update.

Create A Google Identity Lookup Provider with Authentication Server

During the RADIUS EAP-TLS authentication, the user or device will present the 802.1X client certificate, and the RADIUS, as an authentication server, will verify the relevant information from the certificate against the existing users in the Identity Provider. If it matches the IDP and the certificate is not expired, or on the Certificate Revocation List (CRL), the user or device authentication is completed and is granted access to the network. 

Now, we will create an Identity Lookup provider in SecureW2 to connect our Identity Provider service account to lookup users, in this case, Google Workspace, groups, and their devices.

  1. Navigate to Identity Management > Identity Providers.
  2. Click Add Identity Provider.
  3. On the displayed screen, enter a Name and Description of the Identity Provider.
  4. From the Type drop-down list, select Google Workspace Identity Lookup.
  5. Click Save. The page refreshes and the Configuration, Attribute Mapping, and Groups tabs appear.
  6. Under the Configuration tab, provide the following information:
    1. In Client Id, enter the client Id that you retrieved from Google Workspace.
    2. In Client Secret, enter the client secret you generated in the Google Workspace and saved in a secure place.

      NOTE: After updating the Identity Provider, this secret will not be retrievable. Therefore, make sure this is saved in a secure place.
    3. Click Update.
  7. Click Authorize on your new Google Workspace Identity Lookup. This will test the connection between SecureW2 and Google Workspace.

Configuring the Attributes for Identity Lookup

To add a custom attribute to the IDP, perform the following steps:

  1. Navigate to the Attribute Mapping tab.

  2. Click Add.
  3. In the Local Attribute field, enter a name for the attribute.
  4. In the Remote Attribute field, select the attribute to be mapped to the Local Attribute. If you select User Defined, enter a value to be mapped.

    NOTE: UPN is a mandatory attribute, so make sure you at least have one attribute that contains UPN in the Remote Attribute field.

  5. Click Next to create the custom attribute with the appropriate mapping.
  6. Repeat the steps if you want to create more attributes.

Configuring Groups for Google Workspace SAML Authentication

Cloud RADIUS can perform a User Group Lookup so we can create network access policies based off of the Groups a user is in. The process is the same as how you added attributes in the previous section.

  1. Navigate to the Groups tab.
  2. Click Add.
    1. In the Local Group field, enter a name for the group. This name will be displayed as your ‘Group’ in the JoinNow MultiOS Management Portal when you configure policies.
    2. In the Remote Group field, enter the name of your group as it is configured in the Google Workspace.

  3. Click Create.
  4. Repeat as necessary for any Group you wish to create Network Policies around.

  5. Click Update.

Configure Certificate-Based 802.1X WPA2-Enterprise Network Policy Settings

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role.

A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”.

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept.

To create and configure the Network Policy, follow the steps below:

  1. Navigate to Policy Management > Network Policies.
  2. On the Network Policies page, click Add Network Policy.
  3. On the displayed screen, enter a Name and Displayed Description for the network policy in the corresponding fields.

  4. Click Save.
  5. Click the Conditions tab.
  6. Click Add group and select the user role you want to assign to this network policy.

    NOTE    : You can assign a network policy to multiple user roles.

  7. Click the Settings tab.
  8. Click Add Attribute.
    1. From the Dictionary drop-down-list, select an option: Radius:IETF or Custom.

    2. From the Attribute drop-down-list, select an option.

    3. In the Value field, enter the appropriate value for the attribute.
    4. Click Save.
    5. Click Update.

NOTE: Repeat the process for all the attributes you want to send to the User Role.

Google Certificate Enrollment With Cloud RADIUS/Automate Certificate Enrollment With Cloud RADIUS

The connection of the SecureW2 network and a Google Workspace SAML application creates solutions for network administrators by achieving the goal of easily connecting users to the network and offering a higher level of control. Users have to complete the onboarding process once to automatically enroll for certificates for uninterrupted connection, whereas, in the past, it would be a manual effort that would divert countless resources. Administrators can also differentiate between groups and ensure that everyone in the organization has access to the connections they need.

The WPA2-enterprise network, with EAP-TLS authentication, uses PKI for certificate-based authentication using a pair of public and private keys. What makes it secure is that the private key is always stored in the device, and the public key is issued as a digital certificate with a reputed Certificate Authority signing the certificate. Authentication is considered complete only when the public and private key matches.

SecureW2’s Managed PKI (Public Key Infrastructure) solution simplifies certificate management that includes a Hardware Security Module (HSM) to protect the PKI and ensures that every certificate issued can be trusted. Create custom certificate templates and design certificate issuance and enrollment policies to improve network visibility and enhance network security. Our industry-best support team can assist you at anytime you need help with any assistance that you may need.

If you’re interested in learning more about the advantages your IT department can experience by using Google Cloud with SecureW2 solutions, contact us and we’d be happy to set up a free trial. Or click here to get a pricing estimate for this cost-effective solution.

Schedule a Demo

Sign up for a quick demonstration and see how SecureW2 can make your organization simpler, faster, and more secure.

Schedule Now

Pricing Information

Our solutions scale to fit you. We have affordable options for organizations of any size. Click here to see our pricing.

Check Pricing