Implement 802.1X for Managed Chromebooks
Enrolling and authenticating devices have become a major concern, especially considering the number of devices that need managing. With cyber security crimes going up, it has become even more important for organizations to look for a viable option that allows them to handle the devices in their network, including the Managed Chromebooks. Let’s take a look at what are the different ways to handle network security for managed Chromebooks and what is the best way to manage their security.
What is 802.1x?
The standard protocol used to authenticate a user trying to access a network is 802.1X. It is IEEE Port-Based Network Access Control (PNAC) that helps secure your network by authenticating users as per IEEE standards. An 802.1X network uses an authentication server called RADIUS or AAA server. RADIUS verifies the digital credentials or certificates to determine if a user is authorized to access the network by looking up the organization’s directories (primarily over the LDAP or SAML) to see if they are active in the organization. It grants access to users taking into consideration factors like network policies and the security groups a user belongs to, to ensure the user has access to only the level of information that is required for them to perform their specific role. 802.1X allows the use of digital credentials or certificates for each individual user instead of one single credential for the whole network making the network more secure.
The Extensible Authentication Protocol (EAP) is the standard protocol that is used to send identifying information over the air in a secure way for authentication into a network. EAP can be configured using different protocols. The three most widely used protocols are EAP-TTLS/PAP and PEAP-MSCHAPv2 and EAP-TLS. The first two use credentials to authenticate a user, and EAP-TLS uses certificates to validate the identity of a user.
EAP-TTLS/PAP is the authentication method that uses a server certificate to identify the network and uses credentials to authenticate a user trying to access the network. Not considered the safest method because configuring EAP-TTLS/PAP requires high-level IT skills to understand and implement. However, the biggest vulnerability of this WPA2-Enterprise Wi-Fi authentication method is that it uses plain text to transmit credentials and so carries with it all the challenges that are faced in password management.
PEAP-MSCHAPv2 uses login IDs and passwords to authenticate users trying to access the network. This is definitely the biggest disadvantage of this method.
The use of credentials or login IDs and passwords has many flaws that can make your network vulnerable. One of the major issues in using credentials for authentication is that credentials can be easily stolen (both physically as well as over the air) or shared, which can compromise a network. Over the recent past, we have witnessed multiple cyber attacks that further strengthen the argument that passwords are not secure. Also, password management is time & resources-consuming, so it has a very bad user experience.
Considered the gold standard of network security, EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) uses certificates to authenticate users requesting entry to a network. This method enables the use of X.509 digital certificates for authentication and requires server certificate validation which means both server and user validation are done using certificates before accessing a network.
This method of authentication is the most secure primarily because it uses certificates to authenticate. Certificates are considered solid identity contexts as they cannot be transferred, stolen, or replicated. Your network visibility is enhanced, too, as the certificates are very closely tied to the devices. The user experience of EAP-TLS is much better than the other two methods because this is the fastest of all three methods. With 802.1X certificates instead of passwords, this method eliminates the problems related to password management.
Passwords require a lot of effort, like remembering them and changing them periodically. Also, unlike passwords, the whole process of authentication is automated, making it much faster with zero scopes of human error. Lastly, unlike passwords that have to be changed manually and periodically, certificate validity can be set in years, and with a managed cloud RADIUS like SecureW2, certificate lifecycle management of your organization can be completely automated for both MDM and unmanaged devices.
How to Onboard Chromebooks for 802.1x
Handling the configuration of managed Chromebooks manually can be a tedious task that requires a lot of man-hours for an IT organization. Also, managing the lifecycle of certificates and monitoring them to renew certificates when they expire can take up a lot of time and resources. With SecureW2’s automated device onboarding solutions for MDM, you can automate the whole process of device enrollment and identity-based authentication for your managed Chromebooks. Enrolling your managed Chromebooks with certificates can now be done with no end-user interaction making it completely automatic. With just a few clicks, you can now push auto-enrollment for all your managed Chromebooks and manage the entire lifecycle of certificates. Here is a brief overview of how to Onboard your managed Chromebooks with SecureW2 Solutions.
Configure Managed Device Gateway in SecureW2
To get started with the auto-enrollment of Chromebooks, you will first have to create an Identity Provider (IDP) in the SecureW2 Management Portal for Google Verified Access. With SecureW2, setting up Gateway APIs to enable your managed devices to enroll themselves for certificates automatically is very easy.
Once your network profile is generated, you can edit the settings of your network profile to define whether you want the certificates generated for a user using the system or of the system. You can also enforce network policies and define the network access level for the certificates by mapping your IDP to look up a user or a machine at the time of authentication, as well as to assign user roles.
Configure Google Admin for Chromebook Certificate Enrollment
The Google Admin Console allows admins to manage all their G-Suite services from one central point. This is where you configure access to enable device certificate enrollment. You will need to grant access to the SecureW2 service account to configure the settings so that the Chromebook with verified tokens will be authenticated before they proceed with the enrollment of certificates.
Our servers will validate the verified access token that is sent by the Chromebooks requesting enrollment against Google to confirm if the identity matches the token. This step is completely automated with no end-user interaction.
Additionally, the SecueW2 support team will work with you to implement the following processes.
- Create a custom JSON Policy file to push to your Managed Chromebooks to enroll themselves for Wi-Fi Certificates.
- Configure the JoinNow MultiOS extension ID from Google Admin needed to install and push the JoinNow Chrome extension for certificate auto-enrollment.
- Enforce SecureW2 Certificate Auto-Enrollment Extension for seamless enrollment.
- Export Trusted root and intermediate Certificate Authority.
- Configuring the RADIUS Server Certificate’s Issuer CA Chain from Google Admin Console.
- Configure and push the appropriate Wi-Fi settings so your devices will use the new. enrolled certificate for 802.1X certificate-based Wi-Fi authentication.
We can easily integrate our solutions with your existing infrastructure, like your current RADIUS server. Our vendor-neutral solutions can be implemented with any major Wi-Fi vendor’s solutions. If you do not have a RADIUS server or any other infrastructure, SecureW2 has its own Cloud RADIUS server that is built for EAP-TLS 802.1X authentication. Our PKI solutions are very natively integrated with cloud directories like Google Workspace Azure AD making the process of authentication secure and fast.
Our RADIUS servers will do a direct look-up from your cloud directory at the time of authenticating a user to verify if they are current and active in your organization. Click here for a detailed guide to configuring the auto-enrollment of Chromebook for 802.1X certificates with SecureW2.
802.1X for K12 Chromebook Fleets
K 12 traditionally already had access to a large database with sensitive financial and personally identifiable information (PII) that needs strong network security to protect. The school districts are now, also rapidly including in their curriculum eLearning and other digital platforms to enhance their educational experience. Additionally, school networks are accessed using various types of devices, from BYOD/unmanaged devices, including gaming consoles, to managed devices like managed Chromebooks or university-owned devices.
They, therefore, require a robust network security solution that helps them control and monitor all the different types of devices seamlessly. With EAP-TLS and 802.1X certificates, K12 school districts can now manage their network security spread across campuses dynamically with greater ease and lesser burden on their IT department.
SecureW2’s 802.1X solutions for Managed Chromebooks come with a varied range of features that help make your cyber security unbreachable. We provide solutions for K12 that help you achieve the following goals.
- Enable role-based access control by customizing landing pages for different types of access.
- Facilitate seamless configuration and use of roaming platforms like Eduroam and Educause
- Fast Configuration & Authentication of 802.1X certificates because of native integration to cloud directories
- Access connection reporting, device analytics, and ability to remote troubleshoot.
- Generating reports on onboarding logs and RADIUS logs for better control and monitoring of devices
- Easy BYOD devices onboarding with BYOD Onboarding Solutions.
The first step to developing impenetrable network security is to determine what is the best combination of available network security solutions that can be implemented. An enterprise network is most secure when EAP-TLS authentication is enabled, and their access is determined by taking into consideration different solutions like network policies and conditional access policies that are implemented by looking up using a cloud directory to verify if the user is still active. Secure your managed Chromebooks with 802.1X for a better network security of your K12 school district. Take a look at how one of our customers has successfully implemented 802.1X for their Managed Chromebooks.