Security

Reply
MVP
Posts: 360
Registered: ‎01-14-2010

Radius authentication against Google Apps

All,

 

A buddy of mine runs an enterprise that uses Google Apps for just about everything. They are looking to implement WPA-Enterprise across the organization and this is turning into a problem. I am only aware of one site, Cloudessa, that provides a Radius front end to a Google Apps back end.

 

Is this something that Clearpass can pull off? If not, I'd love to hear if others are authenticating against Google Apps.

 

Thanks!

 

-Mike

 

 

New Contributor
Posts: 2
Registered: ‎01-11-2013

Re: Radius authentication against Google Apps

Hi,

 

This is exactly what we do at Cloudessa

 

www.cloudessa.com

 

It is free up to 10 users - please try

Super Contributor I
Posts: 293
Registered: ‎04-03-2014

Re: Radius authentication against Google Apps

Any Aruba response to this? Is this a roadmap feature of Clearpass?

 

Best regards,

Christoffer

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Guru Elite
Posts: 7,836
Registered: ‎09-08-2010

Re: Radius authentication against Google Apps

Where are your Google accounts sourced from? Direct into Google or synched from AD/LDAP?

 

You could use Cloudessa with ClearPass by setting up a RADIUS proxy.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 293
Registered: ‎04-03-2014

Re: Radius authentication against Google Apps

Hi!

 

Thanks for the quick reply. The accounts go straight into google, the customer doesn't have any local directories that we could use as an authentication source. 

 

Will Clearpass add any value in that kind of setup? Asuming this is the only goal for the customer.

Christoffer Jacobsson | Aranya AB
Aruba: ACMX #537 ACCP | CWNP: CWNA CWDP CWSP
Super Contributor I
Posts: 267
Registered: ‎04-04-2014

Re: Radius authentication against Google Apps

 

A few things to note about this setup:

 

1) If the customer has users using two-step verification on their google accounts, each user will have to make an application-specific password in their google account, and use that as their WiFi password, which more or less defeats the SSO angle.

2) Check that all the customer's devices support EAP-TTLS.  Probably won't be a problem, but the slightly more common EAP-PEAP won't work due to the way MSCHAP generates keying material.

3) Check the customer's security requirements.  They have to not mind that the service providing the RADIUS gateway into google apps will know their 802.1x send/receive initial keys.  If they are not using two-step, they have to not mind that the RADIUS gateway provider will know their google password.  Also the 802.1x initial keys are only protected by an MD5 hashing scheme, but I'm guessing if they are using google apps they are not going to be concerned about crypto requirements to that level.

 

Having support directly in an in-house CPPM would help alleviate #3, but might hinge on a B2B arrangement between Google and Aruba.to help ensure the usual Google rug-pulling doesn't happen.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: