GOOGLE APPS AUTHENTICATION
User Names & Passwords: EAP–TTLS Option
To authenticate users to the WiFi network using their Google Apps domain account user names and passwords requires using EAP–TTLS / PAP (Extensible Authentication Protocol with Tunneled Transport Layer Security / Password Authentication Protocol.
To securely pass the users account credentials from the user device to the network and over to Google for authentication and authorization, EAP–TTLS / PAP first authenticates the connection between the WiFi AP (the "Authenticator" or RADIUS Client) and the RADIUS server and sets up a trusted secure tunnel between the Authenticator and the RADIUS server.
EAP–TTLS then sets up a second “inner” encrypted tunnel for secure transport of the users credentials, so that the intermediaries to the authentication process (the AP and the RADIUS server) are only passing encrypted users credentials.
Within the secure “inner” tunnel, a second authentication protocol, PAP (Password Authentication Protocol), is used to transport the end users credentials. To authenticate a user using their Google Apps user name and password, EAP–TTLS must be the outer authentication, while PAP must be used as the inner authentication protocol.
To use EAP–TTLS / PAP requires the use of an 802.1X supplicant.
The following Operating Systems all include 802.1X supplicants and support EAP– TTLS and PAP: Apple, iOS version 3.1.3 and higher and MAC OS; Android v2.1 and higher and Google Chrome OS (for Chromebooks); Microsoft Windows v8+ (note: Windows Mobile does note support EAP–TTLS; and Blackberry 6A+.
Administrators can automate user supplicant configuration through the use of profile creation tools (ie: iOS Profiles) and scripting.
Alternatively, SecureW2’s “JoinNow MultiOS” is a wireless security deployment platform that includes a client with support for a full range of Extensible Authentication protocols (EAP) including EAP–TTLS/PAP. See www.securew2.com.
Please visit www.cloudessa.com/support for detailed information about configuring the various supplicants for EAP–TTLS / PAP, profiling and scripting tips, and the latest information about other operating systems.
Certificates – EAP–TLS Option
In lieu of user names and passwords, Google Apps domain owners can opt to issue X509 certificates to their Google Apps users and use them with EAP–TLS protocol for user authentication.
EAP–Transport Layer Security (TLS) is used in certificate–based security environments, providing mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server.
To enable the use of certificate credentials in a WPA 2 compliant manner, the signed certificate must first be in the certificate store on the mobile device, and then the user must present that certificate during the WiFi authentication process using a EAP–TLS supplicant.
Cloudessa provides a functionality to create and sign certificates, as well as to email certificate–installation links to users. The users install the certificates by simply clicking the link inside the email. During the EAP–TLS based authentication, the certificate is validated, and the email address of the certificate owner is checked against a listing of current Google Apps domain users maintained in the Cloudessa native database.
When a user is deleted in Google Apps, the user certificate is revoked.
In case when a mobile device is lost Cloudessa provides an interface to revoke the certificate installed on the lost device and generate a new certificate for the user.
Cloudessa Certificate Creation Tool
To facilitate the creation and distribution of Certificates signed by Google Apps, Cloudessa has created a Certificate Creation Utility, that administrators can use to easily create certificates on behalf of their Google Apps users.
The tool enables the importing of user names and email addresses, the generation of signed certificates, and it automates the process of then sending the certs to user via email for easy insertion into the certificate store on their device(s).
Captive Portal Option
With the Cloudessa Service, you can also authenticate Captive Portal users using Google Apps.
Please see the Captive Portal section of this manual for how to configure browser based logins against Google Apps.
For supplemental information regarding using Google Apps credentials to the WiFi network, please see the Support FAQ section on cloudessa.com.