• Introduction
• Caveats
• Configuration
• ISE & G-Suite: Export ISE EAP identity certificate and import into G-Suite
• G-Suite: Initial Wi-Fi profile
• G-Suite: User Wi-Fi profile

Introduction

On Windows OS native supplicant, there is a setting that reads ‘Automatically use my Windows logon name and password (and domain if any)’. This setting allows OS to reuse PC login credential for 802.1X authentication to gain network access, thus saving user from having to login twice using same credentials for both the PC and the network. This was not possible on Google Chromebook prior to OS v66 so as a workaround SAML was used to gather user identity instead as documented in Google Suite Guest SSO (Single Sign On) with ISE via SAML for Chromebooks. Google Chrome OS v66 introduced a new feature where user can SSO to the network using Google login credentials. Previously, when the network requires 802.1X authentication, the Chromebook user had to sign-in to the Chromebook using Google account and then connect to the network by providing credentials which may or may not be identical to the Chromebook sign-in credential. With the new feature on v66, domain admin can configure enrolled Chromebooks with WiFi settings, where it can reuse Chromebook sign-in credential for network login automatically. This requires the authentication server, typically a RADIUS server to be able to authenticate using the Google account which is not possible with ISE today. As a workaround, customer can synchronize accounts to Google domain from an on-prem AD server that ISE can authenticate with. The setup is shown in the following diagram:

1. Google domain account is synchronized with local AD using GCDS (Google Cloud Directory Sync) and subsequently GSPS (G-Suite Password Sync) can be used to synchronize password from AD to Google-Suite
2. Since ISE cannot authenticate directly with G-Suite, ISE will interface with local AD
3. WLC (NAD) is configured to use ISE as RADIUS server
4. Chromebook gets initial network access
5. Chromebook is enrolled to the Google Cloud and gets WiFi settings which is configured to use same credential for network access
6. Chormebook authenticates using sign-in account which is sent to ISE, ISE authorizes user for full network access

Caveats

• Please note that this document only goes over the necessary settings on G-Suite. The document expects that G-Suite is already setup to synchronize with local AD via GCDS/GSPS. Test Chromebook is already enrolled to the G-Suite. Underlying Wireless network is already configured for 802.1X with ISE.
• Unlike Windows OS, Chromebook supplicant cannot be setup to perform network authentication before login. Which means the Chromebook has to be on the network where it can communicate with G-Suite to authenticate the user prior to user based network access. This can be done by allowing Chromebook to connect to OPEN network (Guest SSID for example) when there are no G-Suite managed user connected. The other option is to use service account that connects to SECURED network prior to user login. In the case of using service account, different ACL can be applied to service account access so it only has access to the Google resources until a valid user logs in. In this document, we will use second example where a service account is used to provide initial access to the network so a subsequent user authentication can occur without issues.

Configuration

ISE & G-Suite: Export ISE EAP identity certificate and import into G-Suite

Note: Steps 1 - 10 is not required if the ISE EAP identity certificate is already generated as 2048 key length and SHA-256 digest.

1. Logon to the ISE GUI
2. Go to Administration > System > Certificates > Certificate Management > System Certificates
3. Click on Generate Self Signed Certificate
4. Select DNS Name for ’Subject Alternative Name (SAN)’ and enter the ISE host name in the box
5. Select 2048 for Key length and SHA-256 for Digest to Sign With
6. Check Portal: Use for Portal
7. Select ‘Default Portal Certificate Group’
8. Click Submit
9. Select Yes when prompted to replace existing certificate
10. ISE node will be restarted to use the new certificate
11. Once ISE is back up, login to the Admin GUI
12. Go to Administration > System > Certificates > Certificate Management > System Certificates
13. Check the certificate that is shown as used by ‘Portal’ and click 'Export'
14. Leave setting as ‘Export Certificate Only’ and Click Export
15. Save it to the local drive. We will import this certificate into the Google Suite
16. Logon to the Google Suite account as a google admin user
17. Go to Device Management > Device Settings > Network
18. Click Certificates
19. Click Add Certificate
20. Select the one exported from ISE in the step above
21. Check 'Use this certificate as an HTTPS certificate authority' check box
22. Click Save

G-Suite: Initial Wi-Fi profile

Create Initial Wi-Fi profile so Chromebook is connected to the G-Suite prior to user login. This step can be modified to open SSID instead if such SSID allows access to G-Suite resources.

1. Logon to the Google Suite account as a google admin user
2. From Home, click on ‘Device Management’
3. On the left, click ‘Networks’
4. Click ‘Wi-Fi’
5. Click ‘Add Wi-Fi’
6. Enter Following information:

• Click APPLY

G-Suite: User Wi-Fi profile

1. Create user Wi-Fi profile. This will be used for anyone logging in to the Chromebook.
2. Click ‘Add Wi-Fi’
3. Enter Following information:

• Click APPLY then SAVE