cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community

Google Suite Guest SSO (Single Sign On) with ISE via SAML for Chromebooks

6231
Views
2
Helpful
2
Comments

 

Introduction

Note: Starting with Chromebook v66, it is possible to do SSO for 802.1X. Please see Chromebook 802.1X SSO for more information.

Chromebooks have become a dominant platform for much of the K-12 environment in the US. While it makes great sense for the district management to choose Chromebooks over other platforms, it presents a unique problem for the network/security administrators that are managing the network security for the school districts. The challenge is that there is no easy way to enforce each of the Chromebook to use unique identification to login to the network. In the case of MS Windows, one could force the O/S to utilize the Windows login account to be used for Network login, which provides SSO for the users, yet also provides visibility of users to the network administrators. However, with Chromebooks, there is no way to do the same as evident from the issue being tracked here: https://bugs.chromium.org/p/chromium/issues/detail?id=386606. To circumvent the issue, some admins have resorted to instruct the users to connect to the wireless network manually themselves after they receive their Chromebook. While feasible, it only works in an environment where the Chromebook are assigned to a student for a prolonged period and does not work for environments where the Chromebook are shared by multiple students throughout the day, not to mention that password expiry policy often results in additional support calls from the students. Alternatively, some admins have used WPA/WPA2 PSK (Pre-Shared Key) or static username/password combination to authenticate to the network, forfeiting network visibility as every Chromebook logon is seen identical aside from the MAC addresses. Due to lack of visibility, admins cannot effectively enforce differentiated policies based on user accounts nor they can easily track down a user when policy violation occurs on the network nor they can track down an asset for inventory purposes. ISE provides unique solution to the problem by utilizing SAML Guest authentication feature to identify user behind the devices, thus providing visibility into the users for the network and security administrators. This is done by utilizing Open SSID, WPA/WPA2 PSK, or WPA/WPA2 802.1X combined with SAML guest authentication with ISE. In this setup, ISE Guest portal is used as SAML Sp (Service Provider) and the Google Suite is used as IdP (Identity Provider).

 

This document describes how to configure Cisco ISE to provide SSO on the ISE guest access portal via Google Suite account via SAML. This allows network administrators to see who is logged in to the network on both the WLC and the ISE. Also contains optional configurations to streamline the user experience by auto pop-up of browser upon login and auto-click of the SSO link. This document covers additional configuration to make the Chromebook SSO working on an existing guest setup and will utilize default ISE settings when applicable.

 

Prerequisite

Already have working Google Suite with test users

Fresh ISE 2.2 install (This document was written while testing with ISE 2.2, but should also work with ISE 2.1)

Working WLC with CWA Guest access running 7.6+ for DNS ACL feature (Preferably running 8.2+ as it provides 20 DNS ACE per ACL as opposed to 10 ACE in the previous versions)

 

Configuration Overview

  1. ISE: Add WLC as RADIUS Client

  2. ISE: Enable Default Authorization Policy for guest access

  3. ISE: Create SAML identity source

  4. ISE: Create Guest portal to use SAML

  5. ISE: Take note of SAML Sp settings

  6. G-Suite: Create SAML App to use ISE

  7. ISE: Import G-Suite SAML metadata into ISE SAML identity store

  8. WLC: Configure RADIUS Server

  9. WLC: Configure Redirect ACL

  10. WLC: Configure WLAN

 

Quick video showing the configuration flow:

 

(view in My Videos)

ISE: Add WLC as RADIUS Client

  1. Go to Administration > Network Resources > Network Devices > Add

  2. Provide Name, IP Address, and the RADIUS shared key for the WLC and save

 

ISE: Enable Default Authorization Policy for guest access

  1. Go to Policy > Authorization
  2. Click on 'Edit' for 'Wi-Fi_Guest_Access' and 'Wi-Fi_Redirect_to_Guest_Login' rule. Click on the status field to mark both rules to be active
  3. (Optional) If using 802.1X WLAN, add an additional condition for 'WiFi_Guest_Access' rule to check 'CWA:CWA_Username' Ends With the Google domain name that is being configured (I.e. wonderlandisd.org). This ensures both 802.1X identity and the SAML (WebAuth) identity are visible in the live log and via pxGrid.
  4. Click Save

 

Screen Shot 2017-05-23 at 10.52.07 AM.png

 

ISE: Create SAML identity source

  1. Go to Administration > System > External Identity Sources > SAML Id Providers, click on Add

  2. Enter ‘Google_SAML’ in the Id Provide Name, click Save

     

ISE: Create Guest portal to use SAML

  1. Go to Work Centers > Guest Access > Portals & Components > Guest Portals, click on Create

  2. Select Sponsored-Guest Portal and click Continue…

  3. Enter Google_SSO in the Portal Name

  4. Expand Portal Settings, select Google_SAML from the Authentication method pull down menu

  5. Expand Acceptable Use Policy (AUP) Page Settings, uncheck ‘Include and AUP page’

  6. Expand Guest Device Registration Settings, uncheck ‘Automatically register guest devices’

  7. Expand Post-Login Banner Page Settings, uncheck ‘Include a Post-Login Banner Page

  8. (Optional) Expand Authentication Success Settings, change accordingly to send user after the SSO is completed

  9. Scroll up and click Save

  10. Click Close to go back to the list of Guest Portals

  11. Click on the Self-Registered Guest Portal (default)

  12. Expand Login Page Settings, Uncheck ‘Allow guests to create their own accounts’, Check ‘Allow the Following identity-provider guest portal to be used for login’ and select Google_SSO from the drop down list

  13. Expand Acceptable Use Policy (AUP) Page Settings, uncheck ‘Include and AUP page’

  14. Expand Guest Device Registration Settings, uncheck ‘Automatically register guest devices’

  15. Scroll up and click Save

     

ISE: Take note of SAML Sp settings

  1. Go to Administration > System > External Identity Sources > SAML Id Providers, click on Google_SAML

  2. Click on Service Provider Info. tab

  3. Click on Export button

  4. Save the ‘Google_SAML.zip’ file

  5. With the file manager on your PC/OSX, expand the ‘Google_SAML.zip’ file

  6. Use notepad or text editor and open up the Google_SSO.xml file

  7. Take note of the two values; entityID and Location. Location value is multi-valued. Take note of the Location value with the host name instead of IP address. See below for example:

entityID="http://CiscoISE/4a089df2-3ede-11e7-97dd-0242ebf188ae"

Location="https://ise22.example.com:8443/portal/SSOLoginResponse.action"

 

G-Suite: Create SAML App to use ISE

  1. Logon to the Google Suite account as a google admin user

  2. From Home, go to Apps > SAML Apps > Click on ‘+’

  3. Select ’SETUP MY OWN CUSTOM APP’ on the bottom

  4. Click on ‘Download’ button user Option2, IDP metadata

  5. Save the file to the local HDD, we will import this into ISE SAML settings

  6. Click Next

  7. Enter ISE-Guest as application name and click NEXT

  8. For ACS URL, enter the ‘Location’ value that was noted from the Google_SAML.xml file above

  9. For Entity ID, enter the ‘entityID’ value that was noted from the Google_SAML.xml file above

  10. Click NEXT, then FINISH

  11. Click OK on the pop up

  12. Select the 3 dot icon and choose ‘ON for everyone’

  13. Click ‘TURN ON FOR EVERYONE’

 

ISE: Import G-Suite SAML metadata into ISE SAML identity store

  1. Go to Administration > System > External Identity Sources > SAML Id Providers, click on Google_SAML

  2. Click on Identity Provider Config. tab

  3. Click on Choose File button

  4. Select IDP Metadata that was downloaded from the Google Suite during the step above

  5. Click Save

 

WLC: Configure RADIUS Server

  1. Go to Security > AAA > RADIUS > Authentication > New...

  2. Enter server IP, RADIUS key, Enable CoA, and change the server timeout to 5 seconds and click Apply

  3. Go to Security > AAA > RADIUS > Accounting > New...

  4. Enter server IP, RADIUS key, and change the server timeout to 5 seconds and click Apply

 

WLC: Configure Redirect ACL

Go to Security > Access Control Lists > Access Control Lists > New

  1. Enter 'ACL_WEBAUTH_REDIRECT' for the name and click Apply
  2. Click on 'ACL_WEBAUTH_REDIRECT'
  3. Click on 'Add New Rule' and add ACE to allow DNS and access to ISE node (See below example), click Apply

 

Screen Shot 2017-05-22 at 1.06.02 PM.png

 

  1. Hover mouse next to the 'ACL_WEBAUTH_REDIRECT' and select 'Add-Remove URL'

  2. Add following entries one by one and click on 'Back'

.google.co

accounts.youtube.com

gstatic.com

.googleapis.com

.appspot.com

ggpht.com

market.android.com

android.pool.ntp.org

.googleusercontent.com

.google-analytics.com

 

WLC: Configure RADIUS Server

  1. Go to WLANs > Select 'Create New' and click on 'Go'

  2. Add profile name and SSID name

  3. Click on Apply

  4. Check Enabled for Status

  5. Select appropriate interface

  6. Click on 'Security' tab under WLAN

  7. Select 'None' for the Layer 2 Security

  8. (Optional) If running WLC 8.3+ and would like to use WPA/WPA2 PSK to encrypt traffic on the WLAN, select WPA+WPA2 for the Layer 2 Security

  9. Select 'MAC-Filtering'

  10. (Optional) If WPA+WPA2 was selected previously, select PSK for Authentication Key Management and enter PSK for the WLAN in the PSK Format area

  11. Select 'AAA Servers' tab

  12. Select RADIUS server that was added to the WLC in the previous step for both Authentication and Accounting servers

  13. Click 'Advanced' tab under WLAN

  14. Check AAA Override

  15. For NAC State, select ISE NAC (or RADIUS NAC for older version of WLC)

  16. Check DHCP Profiling and HTTP Profiling for 'RADIUS Client Profiling'

  17. Click Apply

 

Optional Configurations for better end user experience

Following three settings can be used to provide better user experience by allowing the SAML flow to be auto initiated when the user logs in to the Chromebook. The first optional setting forces auto SSO by opening up a browser window upon a user logging in to the Chromebook. The second optional setting provides auto clicking for the SSO link using a javascript. And, the third optional setting ensures the ISE guest portal page certificate is trusted by the Chromebook in case ISE self-signed certificate is used. Last step is optional if 3rd party CA signed certificate is used for the portal.

 

Make browser auto popup when user signs in to the Chromebook

  1. Logon to the Google Suite account as a google admin user

  2. From Home, go to Device Management > Chrome > User Settings

  3. Scroll down to the 'Startup' section and locate the 'Pages to Load on Startup' setting and enter any http (Non-secure) site that is not part of google domains (i.e. http://www.cisco.com)

  4. Click Save

     

Hide login portal and auto click SSO link

  1. Logon to the ISE GUI

  2. Go to Administration > System > Admin Access > Settings > Portal Customization

  3. Select ‘Enable Portal Customization with HTML and JavaScript’ and click Save

  4. Go to Work Centers > Guest Access > Portals & Components > Guest Portals

  5. Click on the Self-Registered Guest Portal (default)

  6. Click on the Portal Page Customization on the top

  7. Select Pages > Login from the left side and go to the section that shows ‘Google_SSO’

  8. Check the ‘as link’ next to the ‘Alternative Login Portal’

  9. Click on ‘X’ right next to the Icon to remove the icon

  10. Under Optional Content 2 box

  11. Click on the ‘Toggle HTML Source’ button on the Optional Content 2 box area

  12. Paste in following Javascript

<script>

$(document).ready(function(){

$('#idp-login-link-text-container').trigger('click');

$('[id="page-login"]').hide();

});

</script>

  1. Click on the ‘Toggle HTML Source’ button on the Optional Content 2 box area again, the script will disappear (But it is still applied. If applied correctly the preview pane on the right hand side will show that the page is blank)

  2. Scroll up and click Save

 

Make Chromebook trust ISE Self-Signed certificate

  1. Logon to the ISE GUI

  2. Go to Administration > System > Certificates > Certificate Management > System Certificates

  3. Click on Generate Self Signed Certificate

  4. Select DNS Name for ’Subject Alternative Name (SAN)’ and enter the ISE host name in the box

  5. Select 2048 for Key length and SHA-256 for Digest to Sign With

  6. Check Portal: Use for Portal

  7. Select ‘Default Portal Certificate Group’

  8. Click Submit

  9. Select Yes when prompted to replace existing certificate

  10. ISE node will be restarted to use the new certificate

  11. Once ISE is back up, login to the Admin GUI

  12. Go to Administration > System > Certificates > Certificate Management > System Certificates

  13. Check the certificate that is shown as used by ‘Portal’ and click 'Export'

  14. Leave setting as ‘Export Certificate Only’ and Click Export
  15. Save it to the local HDD. We will import this certificate into the Google Suite
  16. Logon to the Google Suite account as a google admin user
  17. Go to Device Management > Device Settings > Network
  18. Click Certificates
  19. Click Add Certificate
  20. Select the one exported from ISE in step above
  21. Check 'Use this certificate as an HTTPS certificate authority' check box
  22. Click Save

 

Optional Configurations for group/attribute matching

At the time of writing, the Google IdP cannot include group information in the SAML assertion. As a workaround, following settings can be used to configure the G-Suite to send user attribute during SAML flow where ISE can be configured to utilize it for authorization condition. It is useful if one needs to provide differentiated access to certain groups of users. For instance, students are assigned an ACL or a security group tag that is different from faculty members.

Note: Currently SAML assertion for group/attribute patching is possible when the WLAN is configured as Open or WPA/WPA2 PSK.

 

Configure G-Suite to include additional attribute during SAML flow

  1. Logon to the Google Suite account as a google admin user
  2. From Home, go to Apps > SAML Apps > Click on 'ISE-Guest'
  3. Click on 'Attribute Mapping'
  4. Enter Department, Select 'Employee Details', then select 'Department'
  5. Click Save

Screen Shot 2017-05-22 at 1.24.17 PM.png

 

Configure ISE to map the attributes to ISE attributes

  1. Logon to the ISE GUI
  2. Go to Administration > System > External Identity Sources > SAML Id Providers, click on 'Google_SSO'
  3. Click on 'Groups' tab
  4. Enter 'Department' in the 'Group Membership Attribute' box
  5. Click on 'Add' below and add Department names used in the G-Suite Below Showing few examples
  6. Click Save. The newly added Authorization condition is now available in the policy rules.

Screen Shot 2017-05-22 at 1.27.22 PM.png

 

Troubleshooting

Common issues

Chrome browser complains about the certificate

  • Make sure the ISE portal certificate is using SHA256 and includes a SAN field. ISE default installation uses SHA1, so if using self-signed certificate, one has to issue a new certificate
  • Check chrome policy to ensure that it is using latest policy
    • On the client PC, in the URL bar, enter ‘chrome://policy’
    • If the policy is stale, click on ‘Reload Policies’ button to renew policy

When SSO link/button is clicked, the user gets Application is not enabled error

  • Validate that the Chromebook being used is being managed by the G-Suite
  • Validate that the user is using the managed user account that is member of the domain
  • After enabling SAML on the G-Suite, it may take 24 hours to propagate the settings to all users. Even for small organization, it may take 30 minutes
  • Validate SAML setting between ISE and G-Suite SAML App

If the SSO link/button is visible but unclickable

  • Validate SAML IdP setting on the ISE. It should look similar to the following

2.png

 

Debugging

Enable debug guestaccess, portal-web-action

Enable trace for SAML

Open two separate SSH access to ISE and run

terminal length 0

show logging application ise-psc.log tail

and on the second SSH

terminal length 0

show logging application guest.log tail

 

Caveats

Shared Chromebook

At the time of writing the Google as SAML IdP doesn't support logout. Thus, when multiple users are sharing the same Chromebook as is with the case in many K-12 environments, there is a opportunity that when the time between the first user logging off and a second user logging is too short, the second user may assume the identity of the first user in the ISE and WLC view. This does not mean the second user has access to google apps and resources. If one needs to minimize the possibility of such incidents, one can reduce the idle timeout for the WLAN to be short enough to clear out the sessions while the Chromebook is transferred to new student during class breaks. In addition to the short idle-timeout, multiple sign-in access setting on the G-Suite needs to be setup accordingly. The setting can be changed by logging into the G-Suite and going to 'Device Management > Chrome > User Settings > User Experience > Multiple Sign-in Access' settings.

 

End User Experience

Without Optional Configuration

Screen Shot 2017-05-23 at 7.07.25 AM.png

  1. User enters google ID to log in to the Chromebook (Chromebook is booted up and it associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page while allowing access to G-Suite related sites for policy download and user login)
  2. Once on the desktop, user opens up a browser window and tries to go to a non Google related site (If using the automated JS in the optional section above, this and the next 2 steps happens automatically when user logs in to Chromebook)
  3. User is redirected to ISE portal page
  4. User clicks on SSO link/button
  5. SAML completes and user is presented with Success page
  6. User now has Internet access

 

With Optional Configuration

Screen Shot 2017-05-24 at 8.49.46 AM.png

  1. User enters google ID to log in to the Chromebook (Chromebook is booted up and it associates to open SSID and ISE assigns 'Cisco_WebAuth' Authorization Profile that redirects any web request to ISE WebAuth portal page while allowing access to G-Suite related sites for policy download and user login)
  2. Browser auto pops-up upon login and SAML completes and user is presented with Success page
  3. User now has Internet access

 

ISE Live Log

Screen Shot 2017-05-22 at 2.03.13 PM.png

 

 

 

 

 

Comments
Enthusiast

The link for the video is invalid.  Please fix the link:

 

Quick video showing the configuration flow:

Video Link : 16306

 

The above link does not work.

 

Thanks for taking a look at it!


Cisco Employee

Re-uploaded video. Thanks for letting us know.

CreatePlease to create content
Content for Community-Ad