Security

Is there support for ClearPass to integrate with Google Apps? I have a K-12 customer who is hoping to authenticate faculty, staff and students against their Google Apps setup and distinguish their role by their OU within Google. Faculty and staff have AD accounts, but students do not so AD is not going to be an option. 

Web authentication I assume? 

The orgUnitPath will come through in the social_vip attribute for the endpoint.

We would like to do RADIUS with Google Apps as the authentication source. 

What authentication method are you looking to use? 802.1X? Web authentication? 

---

@cappalli wrote:
What authentication method are you looking to use? 802.1X? Web authentication? 

---

802.1X would be the preferred method.

The only supported 802.1X method directly off of Google Apps would be EAP-TTLS and would require a proxy to a Free RADIUS server running an Oauth2 authenticator. EAP-TTLS also requires significant client configuration cross platforms. 

The recommendation would be EAP-TLS using Onboard. The users would authenticate with their Google Apps credentials on the web portal during Onboarding. 

If you don't want to use Onboard, your only option for direct Google Apps authentication would be web authentication with MAC-caching. 

If you have the user accounts synced to a local directory server (AD/LDAP), you can leverage EAP-PEAP or EAP-TTLS. Both of which would be considered fairly insecure in an unmanaged environment. 

Thanks, Tim. That's exactly the info I needed.

 

Does this support Google Apps for Education or only Google Apps for Business? Thanks.

---

@cappalli wrote:
The only supported 802.1X method directly off of Google Apps would be EAP-TTLS and would require a proxy to a Free RADIUS server running an Oauth2 authenticator. EAP-TTLS also requires significant client configuration cross platforms. 

The recommendation would be EAP-TLS using Onboard. The users would authenticate with their Google Apps credentials on the web portal during Onboarding. 

If you don't want to use Onboard, your only option for direct Google Apps authentication would be web authentication with MAC-caching. 

If you have the user accounts synced to a local directory server (AD/LDAP), you can leverage EAP-PEAP or EAP-TTLS. Both of which would be considered fairly insecure in an unmanaged environment. 

---

 

They both can use Oauth2 and SAML so both should work. 

Hi Tim,

 

Would you mind sharing where I might find some more detail on EAP-TLS / OnBoard / Google Apps Web Portal? I have access to Arubapedia and ASE but dotn see much for reference. 

 

I am not sure I understand how I would present a Google Education login during the OnBoarding process. 

 

This would be very beneficial to a few of our customers!

 

Thanks

In your provisioning profile Web Login configuration, enable social providers and then select Google Apps from the dropdown and follow the instructions to get eveyrthign configured.

Thanks Tim. It looks like it uses SAML iDP. I will start researching. 

The social login method should be using OAuth2.

---

@trandall wrote:

Is there support for ClearPass to integrate with Google Apps? I have a K-12 customer who is hoping to authenticate faculty, staff and students against their Google Apps setupGoo and distinguish their role by their OU within Google. Faculty and staff have AD accounts, but students do not so AD is not going to be an option. 

---

Is this Google Apps for Business or Google Apps for Education (you said K-12, but I want to make sure)..

It is Google Apps for Education.