Security

Reply
Occasional Contributor II
Posts: 29
Registered: ‎07-18-2011

Can ClearPass base enforcement off of Google Apps OU?

Is there support for ClearPass to integrate with Google Apps? I have a K-12 customer who is hoping to authenticate faculty, staff and students against their Google Apps setup and distinguish their role by their OU within Google. Faculty and staff have AD accounts, but students do not so AD is not going to be an option. 

Guru Elite
Posts: 8,766
Registered: ‎09-08-2010

Re: Can ClearPass base enforcement off of Google Apps OU?

[ Edited ]
Web authentication I assume? 

The orgUnitPath will come through in the social_vip attribute for the endpoint.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,530
Registered: ‎03-29-2007

Re: Can ClearPass base enforcement off of Google Apps OU?


trandall wrote:

Is there support for ClearPass to integrate with Google Apps? I have a K-12 customer who is hoping to authenticate faculty, staff and students against their Google Apps setupGoo and distinguish their role by their OU within Google. Faculty and staff have AD accounts, but students do not so AD is not going to be an option. 


Is this Google Apps for Business or Google Apps for Education (you said K-12, but I want to make sure)..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 29
Registered: ‎07-18-2011

Re: Can ClearPass base enforcement off of Google Apps OU?

It is Google Apps for Education.

Occasional Contributor II
Posts: 29
Registered: ‎07-18-2011

Re: Can ClearPass base enforcement off of Google Apps OU?

We would like to do RADIUS with Google Apps as the authentication source. 

Guru Elite
Posts: 8,766
Registered: ‎09-08-2010

Re: Can ClearPass base enforcement off of Google Apps OU?

What authentication method are you looking to use? 802.1X? Web authentication? 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 29
Registered: ‎07-18-2011

Re: Can ClearPass base enforcement off of Google Apps OU?


cappalli wrote:
What authentication method are you looking to use? 802.1X? Web authentication? 

802.1X would be the preferred method.

Guru Elite
Posts: 8,766
Registered: ‎09-08-2010

Re: Can ClearPass base enforcement off of Google Apps OU?

The only supported 802.1X method directly off of Google Apps would be EAP-TTLS and would require a proxy to a Free RADIUS server running an Oauth2 authenticator. EAP-TTLS also requires significant client configuration cross platforms. 

The recommendation would be EAP-TLS using Onboard. The users would authenticate with their Google Apps credentials on the web portal during Onboarding. 

If you don't want to use Onboard, your only option for direct Google Apps authentication would be web authentication with MAC-caching. 

If you have the user accounts synced to a local directory server (AD/LDAP), you can leverage EAP-PEAP or EAP-TTLS. Both of which would be considered fairly insecure in an unmanaged environment. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 29
Registered: ‎07-18-2011

Re: Can ClearPass base enforcement off of Google Apps OU?

[ Edited ]

Thanks, Tim. That's exactly the info I needed.

 

Does this support Google Apps for Education or only Google Apps for Business? Thanks.


cappalli wrote:
The only supported 802.1X method directly off of Google Apps would be EAP-TTLS and would require a proxy to a Free RADIUS server running an Oauth2 authenticator. EAP-TTLS also requires significant client configuration cross platforms. 

The recommendation would be EAP-TLS using Onboard. The users would authenticate with their Google Apps credentials on the web portal during Onboarding. 

If you don't want to use Onboard, your only option for direct Google Apps authentication would be web authentication with MAC-caching. 

If you have the user accounts synced to a local directory server (AD/LDAP), you can leverage EAP-PEAP or EAP-TTLS. Both of which would be considered fairly insecure in an unmanaged environment. 

 

Guru Elite
Posts: 8,766
Registered: ‎09-08-2010

Re: Can ClearPass base enforcement off of Google Apps OU?

They both can use Oauth2 and SAML so both should work. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: