BYOD Wi-Fi with Google authentication
02-06-2020 10:04 AM - edited 02-06-2020 10:08 AM
I currently have an employee Wi-Fi that uses dot1x EAP-TLS and a BYOD for students that uses dot1x with Active directory accounts for authentication.
We'd really like to get the students away from Active Directory accounts.
What way do you think is the best way to set this up? I was reading an Aruba document called "onboard and cloud identity providers."
Do I have to use the Onboarding and Guest modules to authenticate with Google? Is there another way to use 802.1x with Google authetication?
Re: BYOD Wi-Fi with Google authentication
02-14-2020 08:03 AM
For a production 802.1X network - there is an LDAP integration with Google for companies, but not for personal use: https://blogs.arubanetworks.com/solutions/utilizing-googles-new-cloud-identity-secure-ldap-service-with-aruba-clearpass/
For personal use, their is a social login option on Guest (doesn't require OnBoard) to leverage a personal Google account to login with (SAML/OAuth2 w/ Token).
For student's, you may want to have them leverage a ClearPass Guest Login Page (HTTPS) and leverage the Google login. You can then cache their MAC for the school year and so they would only need to log in once a year on each particular device.
The obvious risk is then they would be associating to an open network (as opposed to a network with AES encryption) so it does pose some risks depending on what those students are accessing (non-secured sites). You could alternatively use PSK + the Guest login to track who the user is to the device (attach the login email as an attribute to the MAC). At that point it's a bit complicated though too.
If my answer is helpful, a Kudos is always appreciated!