Configure Google LDAP Authentication for Wireless Networks Access

To set up Google LDAP authentication for EnGenius Cloud AP includes the following steps:

1. Setup Google LDAP server in Google Workspace and generate a certificate used for the AP and Google Workspace authentication process.

2. Configure Google LDAP authentication for SSID profile configuration with WPA2/ WPA3-Enterprise or Captive Portal.

3. Configure Google LDAP profile in client devices.

The following sections describe the detailed instructions for each step.

Setup Google LDAP Server and Generate Certificate

The user needs to apply a Google Account (Gmail) and apply Google Workspace with one of the following editions to set up an LDAP server.Business Plus, Enterprise, Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus.

To get started:

• Sign in to the Google Admin console (https://admin.google.com ) as an Administrator

• Add LDAP clients

  • Go to Apps > LDAP

  • Click Add Client filed

  • Type a name in the LDAP client name, for example: EnGenius AP

  • Click the Continue button

• Configure Access Permission for verifying user credentials

  • To specify which organization units and groups EnGenius AP can access to verify the user’s credentials. Choose “Entire domain” if no specific Organization/Group is required (Note: Any change of the setting will take effect up to 24 hours)

  • Refer to https://support.google.com/a/answer/9058751 ​

• Generate a new certificate (used between AP and Google Workspace)

  • Go to Apps > LDAP

  • Client in the list

  • Click Authentication Card

  • Click GENERATE NEW CERTIFICATE

  • Click Download to save the Certificate file on the computer

  • Click Record the Username and Password to store credentials somewhere

• Create a Firewall rule which is needed for AP to query Google Secure LDAP.

  • TCP and traffic direction are outgoing to port 636 of a hostname ldap.google.com

Configure Google LDAP Authentication for SSID Profile

EnGenius Cloud AP can configure Google LDAP Server for WPA2/ WPA3-Enterprise or Captive Portal as an authentication server.

Login to EnGenius Cloud ( https://cloud.engenius.ai ) and click the (hamxxxx) icon to select the Network for configuration.

WPA2/ WPA3-Enterprise with Google LDAP

To get started:

1. Go to Configure > SSID and select a specific SSID name from the list.

2. From the Wireless tab, select WPA2 Enterprise for Security Type.

3. Select Google LDAP for user authentication.

4. Enter configurations for the Google LDAP Server:

   • Enter the Administrator’s credential (Account and Password) of the Google LDAP Server

   • Base DN (Optional): The start point of the LDAP directory tree while AP requests to search the corresponding user’s credentials in the LDAP server. If the field is empty, AP will auto-detect the configuration from the Google LDAP Server. Otherwise, users can set the specified Base DN string according to the Google LDAP account. (Format: ‘dc=xxx,dc=ooo’)

   • Upload the Google Certificate zip file generated while setting up Google LDAP Server.

   • Import Authenticator Certificate (Optional) for customized content and Domain. (Note: The certificate is used between Access Point and wireless client devices, like 802.1x with Radius Server.)

5. Click the Apply button to save SSID configurations.

Captive Portal Authentication with Active Directory Server

To get started:

1. Go to Configure > SSID and select a specific SSID name from the list.

2. From the Wireless tab, select Open for Security Type.

3. From the Captive Portal tab, select Google LDAP for user authentication.

4. Enter configurations for the Google LDAP Server:

   • Enter the Administrator’s credential (Account and Password) of the Google LDAP Server.

   • Base DN (Optional): The start point of the LDAP directory tree while AP requests to search the corresponding user’s credentials in the LDAP server. If the field is empty, AP will auto-detect the configuration from the Google LDAP Server. Otherwise, users can set the specified Base DN string according to the Google LDAP account. (Format: ‘dc=xxx,dc=ooo’)

   • Upload the Google Certificate zip file generated while setting up Google LDAP Server.

   • Import Authenticator Certificate (Optional) for customized content and Domain.

5. Click the Apply button to save SSID configurations.

Setup LDAP Profile on Client Devices

Setup LDAP Profile on Client Devices Some types of client devices (e.g., Andriod Phones) may require installing a Client (CA) Certificate (ca.pem) before getting authenticated with Google LDAP Server.

Note: The CA Certificate for LDAP Clients can be Exported via EnGenius Cloud GUI.

To get started:

1. The LDAP client device scans out EnGenius Wifi SSID and connects it

2. 802.1x page pops up and requests to enter Username and Password, e.g., account@example.edu.

3. If the Certificate page pops up, click the Trust button

4. For Android Phones, it is required to specify the EAP method and Phase 2 authentication. Please refer to the following settings

5. Enter configurations for the Google LDAP Server:

   • EAP method: Select EAP-TTLS.

   • EAP Phase 2 authentication: Select PAP (Note: if PAP is not supported on client devices, GTC is a choice but may have some compatible issues on specific devices, e.g., Chromebook)

   • Domain (Optional): Enter the corresponding domain shown on EnGenius Cloud GUI, e.g., engenius.ai (by default)

   • Choose Do not validate with CA certificate. (Google Nexus does not have this option, the certificate (ca.pem) must be installed)

Example Configuration for Android: