Using Google Apps for WiFi Authentication

If your organization is like many businesses, you are moving your productivity tools — including email, word processing, and spreadsheets — to the cloud, enabling workers to get work done from anywhere on any device. One of the most popular cloud-based productivity suites is Google Apps, with over 5 million businesses now using it.

To set up Google Apps, you must establish a Google Apps domain, and set up users with credentials that govern how they access enterprise resources stored on your Google App domain; these usernames, passwords, and group assignments are stored by Google in the cloud.

With the increasing importance of WiFi access in the enterprise — to enable employee, BYOD, and visitor access — if you’ve migrated to Google Apps, you are no doubt looking for a way to use these same Google Apps credentials to authorize WiFi access.

Now, with Cloudessa RADIUS, you can.

Re-Use Google Apps Credentials for WiFi Access Security

Cloudessa RADIUS manages and secures all WiFi, BYOD, and VPN access to your network. It authenticates users who are accessing your network against a back-end database of usernames and passwords and configures their connection to the network.

With Cloudessa RADIUS, you can authenticate users against back-end systems such as Active Directory, SQL, LDAP — and now the cloud store of usernames and passwords that govern access to Google Apps.

This means you will never need to set up and maintain a separate database of usernames and passwords for WiFi network access; instead, WiFi users can connect to the network with the same usernames and passwords they use to access Google Apps — saving you time, money, and administrative hassle.

What’s more, in addition to its compatibility with Google Apps, Cloudessa RADIUS provides the administrative flexibility you need to support different types of WiFi users on your network who may have different security requirements.

Authentication Options: WPA 2 / 802.1X or Captive Portal

With Cloudessa RADIUS, you can authenticate users to your WiFi network using either WPA 2 / 802.1X or Captive Portal access security.

  • To set up secure employee WiFi access, or WiFi access in healthcare (HIPAA), financial services (SOX), and other regulated environments, best practices mandate the use of WPA2 and 802.1X-based access security. These industry-standard security protocols provide secure user authentication and data security.
  • To set up student / customer / guest WiFi access, where security concerns are generally less stringent, WiFi access via captive portal (browser-based login) provides convenient access

GoogleApps-enterprise-oauth_C

Cloudessa RADIUS supports both WPA2 / 802.1X and Captive Portal-based authentication against Google Apps, Active Directory or LDAP user stores.

The following sections describe how to configure Cloudessa RADIUS to authenticate WiFi users against your Google cloud store of usernames and passwords in both an 802.1X environment and a captive portal environment.

WPA2 / 802.1X Authentication

When using 802.1X-based WiFi security, you can either 1) authenticate users to the network using username and password credentials; or 2) issue X509 certificates to your Google Apps users and authenticate on that basis. Authenticating based on usernames and passwords requires the use of the EAP-TTLS authentication protocol; authenticating based on certificate requires the use of the EAP-TLS authentication protocol.

EAP-TTLS Authentication

To authenticate WiFi users against Google Apps domain account user names and passwords, you must use EAP-TTLS / PAP (Extensible Authentication Protocol with Tunneled Transport Layer Security / Password Authentication Protocol); using these protocols ensures a secure passage of the account credentials fromt he user device to the network and then to Google for authentication and authorization.

In this scenario, EAP-TTLS must be the outer authentication protocol, while PAP must be used as the inner authentication protocol.

The authentication flow proceeds as follows:

  • EAP-TTLS / PAP first authenticates the connection between the WiFi AP (the “Authenticator” or RADIUS Client) and the RADIUS server and sets up a trusted secure EAP-TTLS tunnel between the Authenticator and the RADIUS server.
  • Once the EAP-TTLS tunnel is established between the client and the RADIUS server, the client will send authentication credentials as PAP protocol messages within the encrypted EAP-TTLS tunnel. The credentials pass through the AP in encrypted form. The RADIUS server will then receive the credentials and pass them to Google Apps cloud service for verification.

Most modern mobile devices and operating systems support EAP-TTLS/PAP natively; you may need to install an 802.1X supplicant on older devices to gain support for EAP-TTLS.

802.1X Supplicants

The following operating systems all include 802.1X supplicants and support EAP-TTLS and PAP:

  • Apple, iOS version 3.1.3 and higher and MAC OS
  • Android v2.1 and higher
  • Google Chrome OS (for Chromebooks)
  • Microsoft Windows v8+ (note: Windows Mobile does not support EAP-TTLS)
  • Blackberry 6A+

You can automate user supplicant configuration through the use of profile creation tools (e.g., iOS Profiles) and scripting.

Alternatively, SecureW2’s JoinNow MultiOS is a wireless security deployment platform that includes a client with support for a full range of Extensible Authentication protocols (EAP) including EAP-TTLS/PAP.

Please visit www.cloudessa.com/support for detailed information about configuring the various supplicants for EAP-TTLS / PAP, profiling and scripting tips, and the latest information about other operating systems.

Note also that EAP-TTLS/PAP is supported by many wired Layer 2 switches, Layer 2/3 gateways, and VPN devices; accordingly, you can use Cloudessa to authenticate wired users to the network using Google Apps.

EAP-TLS Authentication

In lieu of user names and passwords, you can opt to issue X509 certificates to your Google Apps users and use them with EAP-TLS protocol for user authentication.

EAP-Transport Layer Security (TLS) is used in certificate-based security environments, providing mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server.

To enable the use of certificate credentials in a WPA2-compliant manner, a signed certificate must first be in the certificate store on the mobile device, and then the user must present that certificate during the WiFi authentication process using a EAP-TLS supplicant.

EAP-TLS is supported on all Android, Windows, iOS and OS X platforms and does not require installation of any additional client software.

Cloudessa Certificate Creation Tool

To facilitate the creation and distribution of Certificates signed by Google Apps, Cloudessa has created a Certificate Creation Utility that you can use to easily create certificates on behalf of your Google Apps users. The tool lets you import user names and email addresses, generate signed certificates, and automate the process of sending the certificates to users via email for easy insertion into the certificate store on their device(s).

The users install the certificates by simply clicking the link inside the email. During the EAP-TLS based authentication, the certificate is validated, and the email address of the certificate owner is checked against a listing of current Google Apps domain users maintained in the Cloudessa native database which is regularly synched with Google Apps.

When a user is deleted in Google Apps, the user certificate is revoked.

Cloudessa also provides an interface to revoke installed certificates and generate new ones when required, for example when a user loses his mobile device.

Note also that EAP-TLS is supported by many wired Layer 2 switches, Layer 2/3 gateways, and VPN devices; accordingly, you can use Cloudessa to authenticate wired users to the network using Google Apps.

Captive Portal Authentication

You can also enable access to your network via the Cloudessa Captive Portal Cloud Service.  With a captive portal, a user accessing the WiFi network is redirected to a web-based portal page, and prompted to enter Google authentication credentials. This method does not require installation of any additional client software.

Cloudessa Captive Portal is based on the Universal Access Method (UAM) protocol, which is supported by all major enterprise access point manufacturers.

Cloudessa’s support for the exchange of Google Apps Credentials via a Captive Portal browser-based login is based on OAuth (Open Standard for Authorization). OAuth provides a standard method for end users to authorize third parties like Cloudessa to access Google on their behalf without sharing their credentials, using user-agent redirections.

Another benefit of the Cloudessa Captive Portal is that when users log in using Google Apps credentials, Google stores a single-sign-on cookie in their browsers. This then enables them to seamlessly access Google Apps resources such as GMail, Google Docs and Google Drive without the need to further authenticate to Google, saving time and improving user experience.