Google Device Authorization

Applies To: Wi-Fi Cloud-managed Access Points (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420) This topic applies to Wi-Fi 5 access points you manage in Wi-Fi Cloud (AP120, AP125, AP225W, AP320, AP322, AP325, AP327X, AP420).

When you enable secondary authorization on your network, a wireless user is first authenticated on the wireless network (for example, with WPA2 and PSK or 802.1x), and then the device used to connect to the network is authenticated to check whether it is an authorized device.

The device authorization can be enforced through Google Device Authorization, or RADIUS MAC Authorization. For more information on RADIUS, see Configure RADIUS MAC Authentication.

You can use Google Device Authorization to allow only authorized devices to connect to your wireless network.

1. When Google Integration is configured in Wi-Fi Cloud, a list of authorized devices is retrieved from Google.
2. The list of devices is pushed to all access points on your wireless network.
3. When a client connects to the access point, the device details are compared against the authorized device list and wireless access is allowed or blocked.

If Google OU rules are defined in the SSID Profile, then the OU of the device is matched against the rules and the configured wireless access is allowed.

Configure Google Integration

Google Apps for enterprises and educational institutions, such as Google for Work and Google for Education, provide various features that enable users to communicate and collaborate from a single platform. The core functionality provided by Google is User and Device Management and Organizational Units. Network administrators can create an organizational structure and control which settings and policies must be applied to users and devices.

When a user logs in to these services with their Google credentials, their device MAC addresses is listed on the Google Device Management page and the administrator can then authorize or reject the device from connecting to the network. WatchGuard Wi-Fi Cloud can synchronize with your Google account to retrieve this list of authorized devices.

You must first configure Google Integration before you can enable Google Device Authorization. For more information, see Google Integration in Discover.

Configure Google Device Authorization

When you enable Google Device Authorization, an authorized device is allowed access to the network based on the SSID configuration. You can specify what action to perform if the associating device is not found in the authorized devices list:

• Disconnect the client device
• Assign a Role Profile to the client user with restrictions. For example, you can redirect the device to a portal that provides information about why access is denied and provide further instructions.

To enable Google Device Authorization in an SSID:

1. Select Configure > WiFi > SSID.
2. Select an SSID, or create a new SSID Profile.
3. Select the Access Control tab.
4. Select the Client Authentication check box.
5. Select Google Integration.
6. Select an action to take if the client authorization fails: Disconnect or Assign Role.
7. If you select Assign Role, from the Select Role drop-down list, select a role profile.

Only role profiles you have defined are listed here. If any Google OU rules are defined in the Role Based Control section of the SSID, then the OU of the authorized device is matched against the role names defined in the rule and the appropriate role is applied to the client device. For more information, see About Role Based Control.

8. Save the SSID configuration.