RADIUS Authentication with Google Workspace

To achieve secure passwordless network authentication, Cloud RADIUS uses Digital Certificates as it’s primary form of authentication. This guide will detail how to enroll Google Workspace users/devices for certificates, so they can use them to authenticate against Cloud RADIUS. 

Integration Process Overview

1. Create a SAML Identity Provider in SecureW2
2. Configure the SAML IDP in Google Admin Console
   • The SAML Identity Provider provides context concerning who is connected to the network and ensures that only approved network users are authenticated.
3. Configure Attribute Mapping
   • Set specific attributes to segment the network into groups based on their identity within the organization.
4. Configure Network Policies to be Distributed
   • Based on these network policies, administrators can dictate the websites, applications, files, and more that different network user segments are able to access.
5. Setup RADIUS Lookup
   1. We can create an OAuth application in Cloud RADIUS to perform a real-time lookup with Google Workspace. This will allow us to perform an additional security check, as well as revoke certificates and network access in real-time. 

Getting Started

The Getting Started Wizard creates everything you need for 802.1x. It will generate a RADIUS Server, Network Profiles, a Landing Page for Device Onboarding, and all the default network settings you will need for 802.1x.

NOTE: If you have already configured SecureW2 for your network, you may skip this step.

1. Navigate to Device Onboarding > Getting started.
2. Configure the settings as shown in the following screen.
3. Keep all the settings the same, except the following:
   a. SSID: Change this to the SSID name you wish to authenticate users with.
   b. Wireless Vendor: Change this to your Wireless Infrastructure Vendor.
4. The Getting Started wizard typically takes 60-90 seconds to create everything required, so please be patient before moving on to the next steps.

Create an Identity Lookup Provider

During the RADIUS authentication process, Identity Lookup validates that a user is active within the organization by checking the identifying information against the existing users in the Identity Provider. Here we will create an Identity Lookup provider in SecureW2 so we can connect our Identity Provider to lookup users, groups and their devices.

1. Navigate to Identity Management > Identity Providers.
2. Click Add Identity Provider.
3. Enter the Name and Description in the respective fields.
4. Select Type as Identity Lookup Provider: GSuite Identity Provider.
5. Click Save. The page refreshes and the Configuration, Attribute Mapping, and Groups tabs appear.
6. Under the Configuration tab provide the following information:
   • In Client ID, enter the client ID that you retrieved from Google Workspace.
   • In Client Secret, enter the client secret you generated in Google Workspace and saved in a secure place.
     • NOTE: After updating the Identity Provider, this secret will not be retrievable. Therefore, make sure this is saved in a secure place.
   • Click Update.
7. Click Authorize on your new GSuite Identity Lookup. This will test the connection between SecureW2 and Google Workspace.

Adding Attributes

To add a custom attribute to the IDP, perform the following steps:

1. In the Attribute Mapping tab, click Add. The following screen appears.
2. In Local Attribute, enter a name for the attribute. This will just be how your attribute will be referred to in the Management Portal. You can name it anything you wish. In Default field, enter a description of the attribute.
3. In the Remote Attribute field, select USER_DEFINED. Enter the value you want SecureW2 to receive from Google.
   • NOTE: UPN is a mandatory attribute, so make sure you at least have one attribute that contains UPN in the Remote Attribute field.
4. Click Next to create the custom attribute with the appropriate mapping.
5. Repeat the steps if you want to create more attributes.

Configuring Groups

Cloud RADIUS can perform a User Group Lookup so we can create network access policies based off of the Groups a user is in. The process is the same as how you added attributes in the previous section.

1. Under the Groups tab, click Add.
   • Create any name for Local Group. This name will be what shows up later as your Group in the SecureW2 Management Portal when you configure policies.
   • In Remote Group enter the name of your Group as it is configured in Google Workspace.
   • Click Create.
2. Click Update.
3. Repeat as necessary for any Group you wish to create Network Policies around.

Configure WPA2-Enterprise Network Policy Settings

The purpose of a Network Policy is to specify how Cloud RADIUS will authorize access to a particular User Role.

A typical Network Policy would say something like: “If User Role = Staff, authorize access and assign them to VLAN 2”.

You can configure any RADIUS Attribute to be sent to the wireless controller. If you leave the attribute section blank, it will just send Access Accept. To create and configure the Network Policy, follow the steps below:

1. Navigate to Policy Management > Network.
2. Click Add Network Policy.
3. Enter a Name.
4. Click Save.
5. Under the Conditions tab, select the User Role you want assigned this Network Policy to.
   • You can select multiple User Roles to assign a Network Policy to.
6. Under the Settings tab, click Add Attribute.
   • Select the Attribute you wish to send to the wireless controller.
   • In Value, enter the appropriate value for your attribute.
   • Click Update.
     • Repeat as necessary for all the attributes you want to send for your User Role.

Configuring RADIUS Lookup for Google Users

Now that we’ve set up certificate enrollment using our Google Credentials, we can additionally set up RADIUS Lookup with Google for ultra-secure network authentication. If you’d like to learn how to create ultra-secure network segmentation with real-time lookup data, reach out to us today and we’d be happy to demo the solution for you.