RADIUS Authentication with Google Workspace

Introduction

To achieve secure passwordless network authentication, Cloud RADIUS uses Digital Certificates as it’s primary form of authentication. This guide will detail how to enroll Google Workspace users/devices for certificates, so they can use them to authenticate against Cloud RADIUS.

Integration Process Overview

  1. Create a SAML Identity Provider in SecureW2
  2. Configure the SAML IDP in Google Admin Console
    • The SAML Identity Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
  3. Configure Attribute Mapping
    • Set specific attributes to segment the network into groups based on their identity within the organization.
  4. Configure Network Policies to be Distributed
    • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments are able to access.
  5. Setup RADIUS Lookup
    • We can create an OAuth application in Cloud RADIUS to perform a real-time lookup with Google Workspace. This will allow us to perform an additional security check, as well as revoke certificates and network access in real-time.

Configuring Google Workspace

To integrate SecureW2 with Google Workspace, perform the following steps:

  1. Open your Google developer console: https://console.developers.google.com
  2. Select the right project. Or, create a new project as shown in the following screen.
  3. Provide the Project name, Organization, and Location. Then, click Create.
  4. To create a OAuth consent, click OAuth consent screen in the left menu. The following screen is displayed.
  5. Select Internal, then click Create. The following screen appears:
  6. Provide the Application name, Application logo, and Support email. Then, click Save.
  7. Click Credentials in the left menu. The following screen appears.
  8. Click Create Credential > OAuth client ID. The following screen appears:
  9. From Application type, select Web application.
  10. Under Authorized redirect URIs, add the Authorization Portal redirect URI. You can get this Redirect URI from the JoinNow Management Portal while configuring the Google Workspace Identity Lookup.
    For example, https: /<orgidentifier>.securew2.com/auth/oauth/code.
  11. Click Update. The following screen is displayed.
  12. Copy the Your Client ID and Your Client Secret values and save for later.
  13. To enable the Admin SDK service, navigate to Dashboard and click ENABLE API AND SERVICE.
  14. Search for Admin SDK.
  15. Open Admin SDK. The following screen appears:
  16. Click Enable.

NOTE: The Authorize feature allows you to test Google is setup properly to work with SecureW2. You can use this feature after you configure an Identity Lookup Provider in the next part of the documentation.

Configuring SecureW2 for Google Workspace

Now that you have configured Google Workspace, run the Getting Started Wizard and create an Identity Lookup Provider in SecureW2 to communicate with Google Workspace. Then, create the user and group policies to implement for your network authentication.

Getting Started

The Getting Started Wizard creates everything you need for 802.1x. It will generate a RADIUS Server, Network Profiles, a Landing Page for Device Onboarding, and all the default network settings you will need for 802.1x.

NOTE: If you have already configured SecureW2 for your network, you may skip this step.

  1. Navigate to Device Onboarding > Getting Started.
  2. On the Quickstart Network Profile generator page, from the Profile Type drop-down list, select Wireless.
  3. In the SSID text box, enter an SSID name.
  4. From the Security Type drop-down list, select WPA2-Enterprise.
  5. From the EAP Method drop-down list, select EAP-TLS.
  6. From the Policy drop-down list, retain DEFAULT.
  7. From the Wireless Vendor drop-down list, select a vendor.
  8. From the Radius Vendor drop-down list, select a RADIUS vendor.
  9. Click Create. It takes 60-90 seconds for the process to complete.

Creating an Identity Lookup Provider

During the RADIUS authentication process, Identity Lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider. Here we will create an Identity Lookup provider in SecureW2 so we can connect our Identity Provider to lookup users, groups and their devices.

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.
  4. In the Name field, enter the name of the Identity lookup provider.
  5. In the Description field, enter the suitable description for the Identity lookup provider.
  6. From the Type drop-down list, select Google Workspace Identity Lookup.
  7. Click Save.
  8. The page refreshes and displays the Configuration, Attribute Mapping and Groups tabs.
  9. Select the Configuration tab.
  10. Under the Configuration section, provide the following information.
    1.  In Client Id, enter the client Id that you retrieved from Google Workspace (refer the Configuring Google Workspace section, step 12).
    2. In Client Secret, enter the client secret you generated in the Google Workspace (refer the Configuring Google Workspace section, step 12).

      NOTE: After updating the Identity Provider, this secret will not be retrievable. Therefore, make sure this is saved in a secure place.
    3. Click Update.
  11. Click Authorize on your new Google Workspace Identity Lookup. This will test the connection between SecureW2 and Google Workspace.

Configuring Attribute Mapping

To add a custom attribute to the IdP, perform the following steps:

  1. Navigate to Identity Management > Identity Providers.
  2. On the Identity Providers page, click the Edit link of the IdP you created earlier (refer the Creating an Identity Lookup Provider section).
  3. Select the Attribute Mapping tab and then click Add.
  4. In the Local Attribute field, enter email as the name of the variable.
  5. From the Remote Attribute drop-down list, select User Defined and enter Email in the field that appears next to the Remote Attribute field.
  6. Click Next.
  7. Click Add.
  8. In the Local Attribute field, enter displayName as the name of the variable.
  9. From the Remote Attribute drop-down list, select User Defined and enter FirstName in the field that appears next to the Remote Attribute field.
  10. Click Next.
  11. Click Add.
  12. In the Local Attribute field, enter upn as the name of the variable.
  13. From the Remote Attribute drop-down list, select User Defined and enter Email in the field that appears next to Remote Attribute field.
  14. Click Next.

Configuring Groups

Cloud RADIUS can perform a User Group Lookup so we can create network access policies based off of the Groups a user is in. The process is the same as how you added attributes in the previous section.

  1. Navigate to Identity Management > Identity Providers.
  2. Click the Edit link on the Identity Lookup Provider created earlier (refer the Creating an Identity Lookup Provider section).
  3. Select the Groups tab.
  4. Click Add.
  5. On the displayed page, in the Local Group field, enter the name of the group.
    NOTE: This name shows up later as your ‘Group‘ in the JoinNow MultiOS Management Portal when we configure policies.
  6. In the Remote Group field, enter the name of your group as it is configured in the Google Workspace.
  7. Click Create.
  8. Repeat as necessary for any Group you wish to create Network Policies around.
  9. Click Update.

Configuring Policies

SecureW2 policies allows the organization administrators to segment users and restrict/allow resources based on information stored in their directory entry. Since enforcement occurs at runtime, changes made to a user’s permissions are propagated throughout the system immediately rather than a day or two later, as is typical with most RADIUS servers.

Configuring Account Lookup Policy

Lookup Policies are how we tie the new Identity Lookup Provider to domains. Here you create a condition that ties your domain to the new Identity Lookup Provider you just created in the previous section.

  1. Navigate to Policy Management > Account Lookup Policies.
  2. Click Add Account Lookup Policy.
  3. In the Name field, enter the name of the Account Lookup Policy.
  4. In the Display Description field, enter the suitable description for the Account Lookup Policy.
  5. Click Save
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. Under the Conditions section, from the Identity drop-down list, select any one of the following options:
    1. Username
    2. Certificate-CommonName
    3. Certificate-SAN-UPN
    4. Certificate-SAN-Email
  9. Configure Regex to match the values of your devices configured in the Identity field.
  10. Under the Settings tab, from the Identity Provider Lookup drop-down list, select the Google Workspace Identity Lookup you created earlier (refer the Creating an Identity Lookup Provider section).
  11. From the Lookup Type drop-down list, select the lookup type: Auto or Custom.
  12. From the Identity drop-down list, select an option from the following:
    1. Username
    2. Certificate-CommonName
    3. Certificate-SAN-UPN
    4. Certificate-SAN-Email
    5. Certificate-SAN-DNS
    6. Client ID
    7. Computer Identity
  13. Select the Revoke On Failure checkbox.
  14. Click Update.

Configuring User Role Policy

The following user role policies need to be configured.

User Role Policy for Enrollment

The first User Role Policy you need to create is one for enrollment. This is what MultiOS will use when end users are enrolling themselves for certificates. JoinNow MultiOS will not use the application you previously created in Google, but instead need to use a separate SAML Application in Google.

Refer to one of our SAML Identity Provider configuration guides if you have not set this up already. Once you have your SAML IDP, start here:

  1. Navigate to Policy Management > Role Policies.
  2. On the Role Policies page, click Add Role.
  3. In the Name field, enter the name of the Role policy.
  4. In the Display Description field, enter the suitable description for the Role policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the Identity Provider you created earlier.
  8. Click Update.

User Role Policy for Network Authentication

Next, create a User Role Policy for Network Authentication. This policy will be used by Cloud RADIUS’ Dynamic Policy Engine to lookup user status at the moment of authentication. Then Cloud RADIUS can dynamically apply Network policies, which need to be configured next.

  1. Navigate to Policy Management > Role Policies.
  2. On the Role Policies page, click Add Role.
  3. In the Name field, enter the name of the Role policy.
  4. In the Display Description field, enter the suitable description for the Role policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the Google Workspace Identity Lookup that you created earlier (refer the Creating an Identity Lookup Provider section).
  8. Click Update.

Group Role Policy for Network Authentication

Finally, create Role Policies for any Groups that we want to give differentiated network access. We can then leverage Cloud RADIUS’ Dynamic Policy Engine to send unique RADIUS attributes based on the Group users belong to with our Network policies.

  1. Navigate to Policy Management > Role Policies.
  2. On the Role Policies page, click Add Role.
  3. In the Name field, enter the name of the group role policy.
  4. In the Display Description field, enter the suitable description for the group role policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. From the Identity Provider drop-down list, select the Google Workspace Identity Lookup you created in the earlier (refer the Creating an Identity Lookup Provider section).
  8. Under Attribute/Groups, in the Groups field, select the group you want to apply this Role to. The group names that show up here, are the Local Groups you configured in your Identity Lookup Provider.
  9. Click Update.

Default Fallback Role Policy

You may notice that there is a “DEFAULT FALLBACK ROLE POLICY” in your User Role policies after you create a Identity Lookup Provider.

The purpose of this policy is that If the Identity Lookup fails, allow the user to still authenticate to the network but assign them a unique role.

This ensures that both users do not experience disconnection if there is a small hiccup in the connection between Google and Cloud RADIUS, but your network can remain secure and you can have those users auto-assigned into a Guest VLAN.

NOTE: DEFAULT FALLBACK ROLE POLICY is by default assigned the DEFAULT NETWORK POLICY.

Configuring Network Policy

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role. A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”. You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept. To create and configure the Network Policy, follow the steps below:

  1. Navigate to Policy Management > Network Policies.
  2. On the Network Policies page, click Add Network Policy.
  3. In the Name field, enter the name of the network policy.
  4. In the Display Description field, enter the suitable description for the network policy.
  5. Click Save.
  6. Select the Conditions tab.
  7. Click Add group and select the user role you want to assign to this network policy.
    NOTE: You can assign a network policy to multiple user roles.
  8. Click Add rule.
  9. Expand Identity and select the Role option.
  10. Expand Device and select the Device Role option.
  11. Click Save.
  12. The Role and Device Role options appears under the Conditions tab.
  13. From the Role Equals drop-down list, select the role policy you created earlier (refer the User Role Policy for Enrollment section). You can select multiple User Roles to assign to a Network Policy.
  14. Select the Settings tab.
  15. Click Add Attribute.
    1. From the Dictionary drop-down list, select an option: Radius:IETF or Custom.
    2. From the Attribute drop-down list, select an option.
    3. In the Value field, enter the appropriate value for the attribute.
  16. Click Save.
  17. Click Update.

NOTE: Repeat the process for all the attributes you want to send to the User Role.

Free DemoCheck Pricing
CTA Background