Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Radius authentication against Google Apps

This thread has been viewed 8 times

  • 1.  Radius authentication against Google Apps

    Posted Dec 10, 2012 02:17 PM

    All,

     

    A buddy of mine runs an enterprise that uses Google Apps for just about everything. They are looking to implement WPA-Enterprise across the organization and this is turning into a problem. I am only aware of one site, Cloudessa, that provides a Radius front end to a Google Apps back end.

     

    Is this something that Clearpass can pull off? If not, I'd love to hear if others are authenticating against Google Apps.

     

    Thanks!

     

    -Mike

     

     



  • 2.  RE: Radius authentication against Google Apps

    Posted Jan 11, 2013 12:26 PM

    Hi,

     

    This is exactly what we do at Cloudessa

     

    www.cloudessa.com

     

    It is free up to 10 users - please try



  • 3.  RE: Radius authentication against Google Apps

    Posted Jun 27, 2014 09:09 AM

    Any Aruba response to this? Is this a roadmap feature of Clearpass?

     

    Best regards,

    Christoffer



  • 4.  RE: Radius authentication against Google Apps

    EMPLOYEE
    Posted Jun 27, 2014 09:12 AM

    Where are your Google accounts sourced from? Direct into Google or synched from AD/LDAP?

     

    You could use Cloudessa with ClearPass by setting up a RADIUS proxy.



  • 5.  RE: Radius authentication against Google Apps

    Posted Jun 27, 2014 09:21 AM

    Hi!

     

    Thanks for the quick reply. The accounts go straight into google, the customer doesn't have any local directories that we could use as an authentication source. 

     

    Will Clearpass add any value in that kind of setup? Asuming this is the only goal for the customer.



  • 6.  RE: Radius authentication against Google Apps

    Posted Jun 28, 2014 12:47 AM

     

    A few things to note about this setup:

     

    1) If the customer has users using two-step verification on their google accounts, each user will have to make an application-specific password in their google account, and use that as their WiFi password, which more or less defeats the SSO angle.

    2) Check that all the customer's devices support EAP-TTLS.  Probably won't be a problem, but the slightly more common EAP-PEAP won't work due to the way MSCHAP generates keying material.

    3) Check the customer's security requirements.  They have to not mind that the service providing the RADIUS gateway into google apps will know their 802.1x send/receive initial keys.  If they are not using two-step, they have to not mind that the RADIUS gateway provider will know their google password.  Also the 802.1x initial keys are only protected by an MD5 hashing scheme, but I'm guessing if they are using google apps they are not going to be concerned about crypto requirements to that level.

     

    Having support directly in an in-house CPPM would help alleviate #3, but might hinge on a B2B arrangement between Google and Aruba.to help ensure the usual Google rug-pulling doesn't happen.