RADIUS Authentication with Google Workspace

Introduction

With a growing number of organizations utilizing Google Workspace for its solutions that improve collaboration and productivity, it is critical to ensure that network resources are accessed securely and effectively. Network security may be significantly enhanced using a solid authentication system like RADIUS (Remote Authentication Dial-In User Service) with Google Workspace. Centralized authentication, authorization, and accounting are made possible via a Google Workspace RADIUS server, which simplifies the administration of user credentials and access restrictions. Businesses may reduce the risk of illegal access and data breaches by integrating RADIUS with Google Workspace to guarantee that only authorized users can access vital network resources.

Furthermore, sensitive data is better protected because of cutting-edge security protocols like RadSec (RADIUS over TLS) integration in Google Workspace RADIUS solutions. RadSec protects credentials during the authentication process by encrypting communications between RADIUS clients and servers. Organizations may build a highly secure environment where every device must authenticate before entering the network by combining 802.1x, a network access control standard, with other security measures. In addition to strengthening network security, this layered security strategy—backed by SecureW2’s Cloud RADIUS solution—ensures smooth integration with Google Workspace and offers a scalable and trustworthy authentication framework for contemporary businesses.

Integration Process Overview

1. Create a SAML Core Provider in SecureW2
2. Configure the SAML IDP in Google Admin Console
   • The SAML Core Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
3. Configure Attribute Mapping
   • Set specific attributes to segment the network into groups based on their identity within the organization.
4. Configure Network Policies to be Distributed
   • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments are able to access.
5. Setup RADIUS Lookup
   • We can create an OAuth application in Cloud RADIUS to perform a real-time lookup with Google Workspace. This will allow us to perform an additional security check, as well as revoke certificates and network access in real-time.

Configuring Google Workspace

Integrating SecureW2 with Google Workspace is necessary to simplify user authentication and improve network security. This section will show you how to use the Google Developer Console to configure SecureW2 with Google Workspace. Setting up OAuth consent and generating the required credentials guarantees smooth interaction with Google Workspace RADIUS and Google Workspace RadSec for reliable 802.1x authentication. Follow these precise instructions to effectively safeguard your organization’s network access.

Creating a New Project

The Google Service Account must be created in the IAM & Admin console.

1. Open your Google developer console: https://console.developers.google.com
2. Select the appropriate project, or create a new project as shown in the following screen.
   
3. To create a new project in a Google service account:
   1. Click Create Project.
   2. In the New Project page, enter a name for the project in the Project name field.
   3. From the Organization drop-down, select the required organization for the project.
   4. From the Location drop-down, select the parent organization.
      
   5. Click Create.
4. To create an OAuth consent, click OAuth consent screen in the left menu. The following screen is displayed.
   
5. Click Get Started.
   
6. In App Information, enter the application name in the App name field.
7. From the User support email drop-down list, select the user and click Next.
   
8. In Audience, select Internal and then click Create. The following screen appears:
   

Enabling Admin SDK API Privileges

The Google Admin SDK API must be enabled to view and manage users, groups and devices present in the organization’s project.

To enable Admin SDK API:

1. From the Projects menu, select the project created in the previous section: Creating a New Project.
2. Search for “API & Services”.
3. Click Enable APIs and services.
   
4. On the API Library page, enter Admin SDK API in the search box.
   
5. Search for Admin SDK API.
   
6. Click Admin SDK API. The following screen appears:
   
7. Click Enable.

Creating A Service Account and a JSON Key File

JoinNow needs a Google Service Account to authorize communication with Google to do a lookup operation on behalf of the service account. To create a Service Account in Google:

1. Navigate to the IAM & Admin menu.
2. From the left menu pane, click Service Accounts.
3. Click + Create service account.
   
4. In the Service account name field, enter a name for your service account.
5. In the Service account ID field, enter an ID for the service account.
   
6. Click Create and continue.
7. Click Done. The required service account will be created. Click on the service account link.
   
8. In the service account page, click on the KEYS tab.
   
9. From the Add Key drop-down, select Create new Key.
   
10. In the Create private key pop-up, select Key type as JSON.
    
11. Click Create. The JSON file will be downloaded to the device. Click Close.
    

Configuring Google Admin Console

Creating a User in Google Admin Console

Google mandates the creation of a user to access information from the service account. To create a user in the Google Admin console:

1. Navigate to Directory > Users.
   
2. Click Add new user. The Add new user form opens.
3. In the First name field, enter a first name for the user.
4. In the Last name field, enter a last name for the user.
5. In the Primary email field, enter the organizational email of the user.
6. Click ADD NEW USER.
   

Configuring SecureW2 for Google Workspace

To improve network authentication, you must configure a signal source and user and group policies while configuring SecureW2 for Google Workspace. Using the Getting Started Wizard, you will create a RADIUS server, Network Profiles, and the configurations for 802.1x Google Workspace integration. Using Google Workspace RadSec for secure authentication, this section explains how to set up a signal source, map characteristics, define groups, and apply policies to guarantee smooth communication between SecureW2 and the Google Workspace RADIUS Server. To appropriately streamline and protect your network access, adhere to these requirements.

Getting Started

The Getting Started Wizard creates everything you need for 802.1x. It will generate a RADIUS Server, Network Profiles, a Device Onboarding Landing Page, and all the default network settings you will need for 802.1x.

NOTE: If you have already configured SecureW2 for your network, you may skip this step.

1. Log in to the JoinNow Management Portal.
2. Navigate to Device Onboarding > Getting Started.
3. On the Quickstart Network Profile generator page, from the Generate Profile for drop-down list, select Internal User Authentication.
4. From the Profile Type drop-down list, select Wireless.
5. In the SSID text box, enter the name of the profile.
6. From the Security Type drop-down list, select WPA2-Enterprise.
7. From the EAP Method drop-down list, select EAP-TLS.
8. From the Policy drop-down list, retain the DEFAULT option.
9. From the Wireless Vendor drop-down list, select a vendor.
10. From the RADIUS Vendor drop-down list, select a RADIUS vendor.
    
11. Click Create. The process takes 60-90 seconds to complete.

Creating a Google Workspace Signal Source

During the RADIUS authentication process, Identity Lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Core Platforms. Here, we will create a Signal Source in SecureW2 so we can connect our Core Platform to lookup users, groups, and their devices.

1. Navigate to Integration Hub > Core Platforms.
2. Click Add.
   
3. In the Name field, enter the name of the signal source.
4. In the Description field, enter a suitable description for the signal source.
5. From the Type drop-down list, select Google Workspace.
   
6. Click Save.
7. The page refreshes and displays the Configuration, Attribute Mapping, and Groups tabs.
8. Select the Configuration tab.
9. Under the Configuration section, provide the following information.
   1. In the Service Account Key File field, click Choose File. Select the JSON Key file created in the Creating A Service Account and a JSON Key File section. Upload the file.
   2. In the Delegated Domain Authority Email field, enter the Primary email entered for the user in Creating a User in the Google Admin Console section.
   3. Click Validate to check the validity of the primary email entered.
      

Configuring Attribute Mapping

To add an attribute to the Signal Source, perform the following steps:

1. Select the Attribute Mapping tab.
2. From the Attribute Type drop-down list, select any one of the following options based on your business requirements.
   1. Device
   2. User
   3. Custom

   Admin can configure multiple Signal Source attributes by selecting the checkboxes next to the attributes.
   

3. The Custom attribute displays the customized attributes configured by the Admin.
4. To create custom attributes:
   1. Click the Add Custom Attributes link.
      
   2. In the Local Attribute field, enter the name to identify the attribute locally.
   3. In Remote Attribute, select the attribute to be mapped to the Local attribute. If you select User Defined, enter the attribute returned by the Core Provider that you want to map.
      
   4. Click Save.
      

Configuring Groups

Cloud RADIUS can perform a user group lookup, enabling you to create network access policies based on the groups to which a user belongs. The process is the same as the one used to add attributes in the previous section.

1. Select the Groups tab.
2. Click Add.
   
3. On the displayed page, in the Local Group field, enter the name of the group.
   NOTE: This name shows up later as your ‘Group‘ in the JoinNow MultiOS Management Portal when we configure policies.
4. In the Remote Group field, enter the name of your group as it is configured in the Google Workspace.
   
5. Click Create.
6. Repeat as necessary for any Group you wish to create Network Policies around.
   
7. Click Update.

Configuring Policies

SecureW2 policies allow the organization administrators to segment users and restrict/allow resources based on information stored in their directory entry. Since enforcement occurs at runtime, changes made to a user’s permissions are propagated throughout the system immediately, rather than a day or two later, as is typical with most RADIUS servers.

Configuring Account Lookup Policy

Lookup Policies are how we tie the new Signal Source to domains. Here, you create a condition that ties your domain to the new Signal Source you just created in the previous section.

1. Navigate to Policy Management > Security Signal Sources.
2. Click Add Security Signal Source.
   
3. In the Name field, enter the name of the Security Signal Source.
4. In the Display Description field, enter a suitable description for the Security Signal Source.
5. Lookup Purpose – Purpose of Account Lookup
   1. Certificate Issuance – To lookup user/device account during Enrollment.
   2. RADIUS Authentication – To lookup user/device account during RADIUS Authentication.

   

6. Click Save.
7. The page refreshes and displays the Conditions and Settings tabs.
8. Select the Conditions tab.
9. From the Identity drop-down list, select the required identity attribute for lookup.
10. Configure Regex to match the values of your devices configured in the Identity field.
    
11. Select the Settings tab.
12. From the Provider drop-down list, select the Google Workspace Signal Source you created earlier.
13. From the Lookup Type drop-down, select any one of the following options:
    1. Auto 
    2. Device
    3. User
14. From the Identity drop-down list, select the Identity attribute mapped for lookup.
    
15. Select the Revoke On Failure checkbox.
16. Click Update.

Configuring Policy Workflows

The following user role policies need to be configured.

• User Role Policy for Enrollment
• User Role Policy for Network Authentication​
• Group Role Policy for Network Authentication
• Default Fallback Role Policy

User Role Policy for Enrollment

The first User Role Policy you need to create is one for enrollment. This is what MultiOS will use when end users are enrolling themselves for certificates. JoinNow MultiOS will not use the application you previously created in Google; instead, it requires a separate SAML Application in Google.

Refer to one of our SAML Core Provider configuration guides if you have not set this up already. Once you have your SAML Core Provider, start here:

1. Navigate to Policy Management > Policy Workflows.
2. Click Add Policy Workflow.
   
3. In the Name field, enter the name of the policy workflow.
4. In the Display Description field, enter a suitable description for the policy workflow.
   
5. Click Save.
6. Select the Conditions tab.
7. From the Core Provider drop-down list, select the Core Provider you created earlier.
   
8. Click Update.

User Role Policy for Network Authentication

Next, create a User Role Policy for Network Authentication. This policy will be used by Cloud RADIUS Dynamic Policy Engine to look up user status at the moment of authentication. Then Cloud RADIUS can dynamically apply Network policies, which need to be configured next.

1. Navigate to Policy Management > Policy Workflows.
2. Click Add Policy Workflow.
   
3. In the Name field, enter the name of the policy workflow.
4. In the Display Description field, enter a suitable description for the policy workflow.
   
5. Click Save.
6. Select the Conditions tab.
7. From the Core Provider drop-down list, select the Google Workspace Signal Source that you created earlier.
   
8. Click Update.

Group Role Policy for Network Authentication

Finally, create Role Policies for any Groups that we want to give differentiated network access. We can then leverage Cloud RADIUS Dynamic Policy Engine to send unique RADIUS attributes based on the Group users belong to with our Network policies.

1. Navigate to Policy Management > Policy Workflows.
2. Click Add Policy Workflow.
   
3. In the Name field, enter the name of the policy workflow.
4. In the Display Description field, enter a suitable description for the policy workflow.
   
5. Click Save.
6. Select the Conditions tab.
7. From the Core Provider drop-down list, select the Google Workspace Signal Source you created earlier.
8. In the Groups field, select the group you want to apply this Policy Workflow to. The group names that show up here, are the Local Groups you configured in your Signal Source.
   
9. Click Update.

Default Fallback Role Policy

You may notice that there is a “DEFAULT FALLBACK ROLE POLICY” in your User Role policies after you create a Signal Source.

The purpose of this policy is that if the Identity Lookup fails, allow the user to still authenticate to the network but assign them a unique role.

This ensures that both users do not experience disconnection if there is a small hiccup in the connection between Google and Cloud RADIUS, but your network can remain secure, and you can have those users auto-assigned into a Guest VLAN.

Note: The DEFAULT FALLBACK ROLE POLICY is by default assigned the DEFAULT NETWORK POLICY.

Configuring Network Policy

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role. A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”. You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept. To create and configure the Network Policy, follow the steps below:

1. Navigate to Policy Management > Network.
2. Click Add Network Policy.
   
3. In the Name field, enter the name of the network policy.
4. In the Display Description field, enter a suitable description for the network policy.
   
5. Click Save. The Conditions and Settings tabs are displayed.
6. Select the Conditions tab.
7. Click the Add rule and select the policy workflow you want to assign to this network policy. It is essential to select the appropriate policy workflow, as it triggers the network policy. This menu offers various rules that you can select based on your business requirements.
   
   NOTE: You can assign a network policy to multiple user roles.
8. From the Policy Workflow Equals drop-down list, select the role policy you created earlier (refer to the User Role Policy for Enrollment section). You can select multiple User Roles to assign to a Network Policy.
9. Select the Settings tab.
   1. From the Access drop-down list, select any one of the options to allow or deny authentication requests. The default value is “Allow”.
   2. To configure MFA, select the checkbox to enable MFA.
   3. From the Perform MFA Using drop-down list, select a Core Provider for MFA.
      
   4. Click Add Attribute.
      1. From the Dictionary drop-down list, select an option:
         • Radius: IETF – This is what we will use for the following attributes, as we are using standard RADIUS attributes for VLAN assignment.
         • Custom: Used for any VSAs (Vendor-Specific Attributes).
   5. From the Attribute drop-down list, select an option.
      1. Framed-Protocol
      2. Framed-IP-Address
      3. Framed-IP-NetMask
      4. Framed-Routing
      5. Filter-Id
      6. Framed-MTU
      7. Framed-Compression
      8. Reply-Message
      9. Framed-Route
      10. Framed-IPX-Network
      11. State
      12. Class
      13. Session-Timeout
      14. Tunnel-Type
      15. Tunnel-Medium-Type
      16. Tunnel-Private-Group-ID
      17. Framed-Pool
      18. User-Name
   6. In the Value field, enter the appropriate value for the attribute.
      
   7. Click Save.
   8. Repeat for any other RADIUS attribute you would like to send. For reference, here is what is commonly required for VLAN Assignment:
      1. Tunnel-Medium-Type: IEE-802
      2. Tunnel-Private-Group-ID:  {VLAN Name}
      3. Server
Tunnel-Type: VLAN
10. Click Update.
    
    NOTE: Repeat the process for all the attributes you want to send to the User Role.

Enhancing Network Security with SecureW2 and Google Workspace

Integrating SecureW2 with Google Workspace for network authentication ensures administrators and users a robust, secure, and smooth experience. Following the procedures here will allow you to utilize SecureW2’s Cloud RADIUS solution, assuring safe fully, certificate-based 802.1x authentication and easing network management. The combination of SecureW2 with Google Workspace improves security while simplifying the login process, reducing administrative load, and increasing user experience.

SecureW2’s revolutionary solutions provide unrivaled security and ease of use. With capabilities such as automated certificate enrollment, full identity search, and extensive policy administration, SecureW2 is the solution for organizations wishing to protect their networks using Google Workspace. Our cloud-based RADIUS server offers high availability and minimum maintenance, letting you focus on what is most important—your company.

Contact us now to find out how we can assist your organization in achieving seamless and secure authentication.

RADIUS Authentication for Google Workspace FAQs

How does your Google Workspace RADIUS server allow users to access Wi-Fi with Google?

Our platform enables administrators to take attributes from Google Workspace and tie them to users through the use of digital certificates. These certificates can then be used in tandem with Cloud RADIUS to passwordlessly authenticate to a range of resources, including Wi-Fi and wired networks.

The authentication process is straightforward. Once the user is enrolled for a certificate, they’re able to send the certificate to Cloud RADIUS when they connect to your secure Wi-Fi network. Cloud RADIUS will verify that the certificate isn’t expired, then perform Identity Lookup in real-time to confirm that the user is authorized in Google Workspace. This method of authenticating users isn’t just more secure; it’s more user-friendly. Since they no longer need to enter in passwords whenever they need to re-authenticate or endure annoying disconnects when their password is reset, they can enjoy uninterrupted access.

Why shouldn’t I use Google credentials directly for Wi-Fi and VPN Authentication?

Using Google credentials for Wi-Fi and VPN authentication introduces substantial security threats and administration issues. Direct credential use raises the danger of phishing attacks, as leaked passwords can provide unauthorized access to critical network resources. Furthermore, password-based authentication lacks the strength of contemporary security methods, making the network vulnerable to brute-force assaults.

Furthermore, maintaining and safeguarding passwords can be complicated, leading to inadequate password practices among users. Instead, combining Google Workspace with a solution such as SecureW2’s Cloud RADIUS and Digital Certificates improves security by enabling passwordless authentication. This strategy reduces the chance of credential theft while simultaneously streamlining the authentication process, resulting in a safe and quick network access experience.

How does RadSec enhance the security of RADIUS Authentication with Google Workspace?

By using TLS (Transport Layer Security) to encrypt RADIUS communication and guarantee that authentication data is transferred securely across the network, RadSec improves the security of RADIUS authentication with Google Workspace. In contrast to standard RADIUS’s plain text transmission, RadSec’s end-to-end encryption shields sensitive credentials against eavesdropping and manipulation.

This secure connection is essential when connecting with Google Workspace since it guarantees the protection of sensitive data, including user credentials, throughout the authentication process. RadSec now allows mutual authentication to strengthen security further, enabling the client and server to authenticate. Businesses may securely authenticate customers to VPN and Wi-Fi services while protecting the integrity and privacy of their Google Workspace login credentials by implementing RadSec.

Why can’t we just build our own RADIUS Server to Use with Google Workspace?

Building a custom RADIUS server for Google Workspace may be difficult and resource-consuming. An in-depth understanding of network protocols, security procedures, and continual maintenance to guarantee compliance with Google Workspace’s authentication protocols is necessary for developing a safe and dependable RADIUS server. It also requires frequent upgrades to fix security flaws and adjust to evolving requirements.

Strong encryption and security methods, like RadSec, are also necessary for Google Workspace integration to safeguard user credentials. A lack of these cutting-edge capabilities in an Indigenous solution might pose security problems. Furthermore, development, testing, and maintenance can take time and money.

A professionally managed solution like SecureW2 guarantees that professionals handle these difficulties and offers a secure, dependable, and compliant authentication service by leaving the complexity of creation and maintenance to the professionals.

Why should I consider SecureW2’s Cloud RADIUS solution for Google Workspace Authentication?

The Cloud RADIUS solution from SecureW2 is the best option for Google Workspace authentication because of its strong security, smooth integration, and user-friendliness. Supporting cutting-edge encryption protocols like EAP-TLS offers a safe authentication technique and guarantees the protection of user credentials. Because SecureW2’s RADIUS is cloud-based, there is no need for on-premises equipment, which lowers maintenance and operating expenses.

Furthermore, SecureW2 simplifies the deployment process by providing a simple connection with Google Workspace. The solution facilitates features that improve security and lower the possibility of credential theft, such as certificate-based authentication. Organizations using SecureW2 may use round-the-clock monitoring and assistance, guaranteeing consistent, dependable functioning. SecureW2’s Cloud RADIUS offers an extensive, safe, and reasonably priced authentication solution designed specifically for Google Workspace.