If the cybersecurity community could be compared to a court, the jury has reached its verdict: it’s time to move past outdated pre-shared keys as a means to network authentication. What’s more, backing your network authentication with a RADIUS server is imperative.
Pairing passwordless authentication with cloud identity providers like Google can seem like a daunting task initially – but Google RADIUS authentication is possible. It’s important you get it right by following a few key steps: keep your Google credentials secure, eliminate passwords entirely, and bring device and user context into each network connection with digital certificates.
Numerous SecureW2 customers have secured their Google networks with our help, and in this guide, we’ll show you how to get the same results.
What is RADIUS-based Authentication?
Remote Authentication Dial-In User Service (RADIUS) is a protocol that authenticates users and devices, granting them access and authorization for defined network resources. RADIUS-based authentication occurs when a network uses the RADIUS protocol to grant access and authorization to devices.
How RADIUS Authentication Works at a High Level
A RADIUS server is the cornerstone of 802.1X networks, but why? How does RADIUS authentication even work? There are a lot of technical nuances, but the general idea is relatively simple. A RADIUS server sits on the perimeter of your network like a bouncer at the door to a club, checking users’ credentials as they attempt to access said network. Users with a valid status are admitted, while others are not.
RADIUS Server authentication is the act of verifying users/devices for network access. RADIUS Server authentication can be broadly split into credential-based authentication and certificate-based authentication. RADIUS servers authenticate via a number of protocols, but the most common ones are PEAP-MSCHAPv2, EAP-TTLS/PAP, and EAP-TLS.
Technically, you can use a RADIUS server with credentials (usernames and passwords), but you’re not really using it to its full potential, then. Using a RADIUS server to authenticate credentials would be a little like buying a tricked-out gaming PC and then only using it to play minesweeper.
In an 802.1X network, RADIUS servers really shine when used in tandem with digital certificates. It basically works like this: a device with a certificate attempts to access a network resource, such as Wi-Fi or a VPN. It presents its certificate to the RADIUS server. The RADIUS server cross-references the certificate with your Identity Provider (Google Workspace, in this instance), then applies the appropriate network policy based on the certificate’s attributes as long as the certificate is valid and unrevoked.
Note that you can use any user directory as your source of truth to create a Windows RADIUS server, even Google Identity.
Unlike passwords, certificates can’t be shared between multiple devices and users. This means that certificates truly provide device context to every connection – you can be 100% certain which devices are actually accessing your network. Best of all, setting this up is relatively simple with SecureW2’s management GUI.
Is RADIUS Authentication Still Used?
The name Remote Authentication Dial-In User Service might conjure up images of ancient dial-up internet, but the RADIUS protocol is far from outdated. RADIUS servers are still in wide use today by security-conscious organizations, authenticating users for Wi-Fi and VPN alike.
When Would You Use a RADIUS Server?
You can use a RADIUS server for authenticating and authorizing users and devices on your network. Additionally, RADIUS servers are used for accounting, due to their ability to keep event logs detailing past authentication attempts.
Google RADIUS Authentication Overview and Requirements
Setting up RADIUS authentication will require you to configure a few components. In this scenario, since we’re planning to set up RADIUS authentication while leveraging your Google Workspace, you’ll need the following:
- Google Workspace
- A RADIUS server, such as Cloud RADIUS
- Wi-Fi Network
- Optional but Strongly Recommended: a Public Key Infrastructure (PKI)
How to Set Up a Windows RADIUS Server with Google Workspace
For certificate-based RADIUS authentication you can set up Google Workspace with your PKI using SAML or an API. Then a RADIUS lookup can be configured using an OAuth application in Cloud RADIUS to verify users/Chromebooks in real-time.
When it’s boiled down like this, it may sound relatively simple, but the truth is that it can take a high degree of technical skill. Fortunately, SecureW2 has created an easy-to-use management GUI that streamlines the configuration process. We’ll walk you through setting up RADIUS authentication with Google Workspace in our portal below.
Create an Identity Provider in SecureW2
Creating an IDP in SecureW2 tells our 802.1x onboarding software and Cloud RADIUS server how to connect to your Google IDP so SecureW2 can verify user credentials and issue certificates that can be authenticated by our RADIUS server. To create an IDP in SecureW2:
- From your SecureW2 Management Portal, go to Identity Management > Identity Providers.
- Click Add Identity Provider.
- For Name, enter a name.
- For Description, enter a description.
- Click the Type dropdown and select SAML.
- Click the Saml Vendor dropdown and select Your chosen vendor.
- Click Save.
Setting up RADIUS Authentication with Google Workspace
Creating a SAML Application in Google Workspace
- Login to Google Admin Console
- Click Apps and select SAML Apps
- A yellow circle will appear in the bottom right corner (when you hover over it, you will read Enable SSO for a SAML Application), click on it
- Click Set Up My Own Custom App
- Download the IDP metadata
- We will add the metadata from Google Workspace
- Navigate to the Identity Provider SecureW2 page, and click on the Configuration tab
- Under Identity Provider (IDP) Info, click Choose File
- Choose the downloaded metadata file, and then click Upload and then Update
- Navigate to the Google SAML App Setup
- Enter the basic information for your app in step 3 (Application Name, Description) and then click Next
- Step 4 requires an ACS URL and EntityId from the SecureW2 Management Portal
- Navigate back to the SW2 Management Portal and copy the ACS URL and EntityId from the Identity Provider section, and paste it into the Service Provider Details of the Google SAML App Setup
- Check the box for Signed Response in the Google Admin page, click Next, and Finish
Google Workspace RADIUS Configuration
Now, you need to enter the RADIUS information. For this guide, we are using a Meraki Access Point to show how Cloud RADIUS integrates with an access point. However, Cloud RADIUS is vendor-neutral and works with any Enterprise AP vendor.
- Under Wireless, select Access control
- Under Network access change it from the default value of Open (no encryption) to WPA2 Enterprise with “my RADIUS server”
- For the WPA encryption mode, select WPA2 only
- In the Splash page section, leave it set to None (direct access)
You can find the details about your Cloud RADIUS when you go to AAA Management and AAA Configuration. Here you will see a Primary IP Address, Secondary IP Address, Port Number, and a Shared Secret.
- Copy the Cloud RADIUS information and paste it back into your Access Point Provider under RADIUS Servers, click the green link to Add a server
- Enter in the Primary IP Address, Port Number, Shared Secret respectively
- You will need to perform the same steps for the Secondary IP Address by entering the Secondary IP Address, Port Number, Shared Secret
- Scroll down and click Save changes
RADIUS Authentication with Google SAML and SecureW2
If you’re using Google Workspace in your organization, you already have one of the key components necessary to make a secure 802.1X network possible. With our dynamic Cloud RADIUS and our managed PKI, you can quickly implement Google identity-enabled certificate-based authentication on a company-wide scale, taking your cloud identity management system to the next level.
SecureW2 has everything needed to deploy passwordless CBA on your Google network – without forklift upgrades. Check out our pricing here.