Nowadays a lot of Companies have their Domains hosted in Google. Since Google does provides only API’s we would not be able to use these credentials on L2 Authentications like Dot1x

 

Here is a Workflow that shows how we can onboard a Client using Google Credentials and allow users  to connect to Secure SSID post onboarding with Certificates issued on Google Credentials

 

Step 1 : Create a APP in Google Developers.  

Step 2 : Create Network Settings for the Secure SSID . In our Setup the SSID name is “Airowire”

Step 3: Create Configuration Profile and map the Network Settings                               

Step 4: Create a Provisioning profile

  • Map the Network Settings
  • Map the Onboard CA
  • Enable Social login and add auto redirect to google auth
  • Map the Credentials and Secret Created in the Google API console

Step 5 : Map the redirect url of the CPPM to the Authorized Redirect URL

Note : the CPPM should have a proper FQDN and DNS entry

Step 6 : Create a BYOD Provisioning role in the Controller/IAP . The role should have access to Google Suite

 

 

wlan access-rule BYOD-Provision

 index 4

 captive-portal external profile BYOD-Provision

 rule any any match udp 53 53 permit

 rule any any match udp 67 68 permit

 rule 192.168.0.0 255.255.255.0 match any any any permit

  rule alias play.google.com match any any any permit

 rule alias *.google.com match any any any permit

 rule alias 1e100.net match any any any permit

 rule alias mtalk.google.com match any any any permit

 rule alias android.clients.google.com match any any any permit

 rule alias googleapis.com match any any any permit

 rule alias play.googleapis.com match any any any permit

 rule alias *ggpht.com match any any any permit

 rule alias *gvt1.com match any any any permit

 

Step 7 : Create a Captive Portal profile and Map the Profile to the Role

wlan external-captive-portal BYOD-Provision

 server cppm.airowire.com

 port 80

 url “/guest/device_provisioning.php”

 auth-text “”

 auto-whitelist-disable

Step 8 : Map this as the pre-auth role  in the SSID

 

wlan ssid-profile Airowire_Provisioning

 enable

 index 3

 type guest

 essid Airowire_Provisioning

 opmode opensystem

 max-authentication-failures 0

 vlan guest

 auth-server Cloud_CPPM

 set-role-pre-auth BYOD-Provision

 rf-band all

 captive-portal external profile BYOD-Provision

 dtim-period 1

 broadcast-filter arp

 dmo-channel-utilization-threshold 90

 local-probe-req-thresh 0

 max-clients-threshold 64