Nowadays a lot of Companies have their Domains hosted in Google. Since Google does provides only API’s we would not be able to use these credentials on L2 Authentications like Dot1x
Here is a Workflow that shows how we can onboard a Client using Google Credentials and allow users to connect to Secure SSID post onboarding with Certificates issued on Google Credentials
Step 1 : Create a APP in Google Developers.
Step 2 : Create Network Settings for the Secure SSID . In our Setup the SSID name is “Airowire”
Step 3: Create Configuration Profile and map the Network Settings
Step 4: Create a Provisioning profile
- Map the Network Settings
- Map the Onboard CA
- Enable Social login and add auto redirect to google auth
- Map the Credentials and Secret Created in the Google API console
Step 5 : Map the redirect url of the CPPM to the Authorized Redirect URL
Note : the CPPM should have a proper FQDN and DNS entry
Step 6 : Create a BYOD Provisioning role in the Controller/IAP . The role should have access to Google Suite
wlan access-rule BYOD-Provision
index 4
captive-portal external profile BYOD-Provision
rule any any match udp 53 53 permit
rule any any match udp 67 68 permit
rule 192.168.0.0 255.255.255.0 match any any any permit
rule alias play.google.com match any any any permit
rule alias *.google.com match any any any permit
rule alias 1e100.net match any any any permit
rule alias mtalk.google.com match any any any permit
rule alias android.clients.google.com match any any any permit
rule alias googleapis.com match any any any permit
rule alias play.googleapis.com match any any any permit
rule alias *ggpht.com match any any any permit
rule alias *gvt1.com match any any any permit
Step 7 : Create a Captive Portal profile and Map the Profile to the Role
wlan external-captive-portal BYOD-Provision
server cppm.airowire.com
port 80
url “/guest/device_provisioning.php”
auth-text “”
auto-whitelist-disable
Step 8 : Map this as the pre-auth role in the SSID
wlan ssid-profile Airowire_Provisioning
enable
index 3
type guest
essid Airowire_Provisioning
opmode opensystem
max-authentication-failures 0
vlan guest
auth-server Cloud_CPPM
set-role-pre-auth BYOD-Provision
rf-band all
captive-portal external profile BYOD-Provision
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64