Manage networks

This article is for Chrome for Business and Education administrators.

The Chrome network settings in the Google Admin console configure Wi-Fi and VPN access for Chrome devices enrolled in your domain. To manage network settings:

  1. Sign in to the Admin console.
  2. Click Device management > Chrome management > Network.

Add a VPN configuration

  1. Choose For Users. (For security reasons, you cannot choose For Devices when configuring VPN.)
  2. Select the appropriate organization from the provided list.
  3. Click Add VPN. The Add VPN network dialog appears.
  4. In the Name field, create a name for this VPN network entry.
  5. In the Remote host field, enter the IP address or the full server hostname of the server that provides access to the VPN.
  6. Specify the VPN type, either L2TP over IPsec with Pre-Shared Key or OpenVPN.
    The Admin console can only push limited OpenVPN configurations. For example, it can't push configurations for OpenVPN networks with TLS authentication.
  7. If the VPN type is L2TP over IPsec with Pre-Shared Key, provide the following:
    Field Description
    Pre-shared key The passphrase or key used to connect to the VPN. Not required for OpenVPN.
    Username Username for connecting to the VPN. Supports username variables.
    Password The password for the given username. If you're using a username variable, leave this field blank.
  8. If the VPN type is OpenVPN, provide the following:
    Field Description
    Remote host port The port to use when connecting to the remote host (optional).
    Protocol The protocol to use for VPN traffic.
    Server certificate authority Defines which authorities to allow when authenticating the certificate provided by the network connection.

    Choose from your uploaded certificates, or select Add new certificate to upload a new certificate authority in X.509 PEM format. Learn more about managing your certificates.
    Use client enrollment URL Check this box if the server requires client certificates. If checked, provide the enrollment URL, along with one or more of the following values for Issuer pattern and/or Subject pattern:
    • Common name
    • Locality
    • Organization
    • Organizational unit

    Each value you specify must exactly match the respective value in the certificate in order for the certificate to be used. For example, the common name in the issuer pattern field must be the same as the client common name.

    Your server should provide the certificate with the HTML5 keygen tag.

    Username The OpenVPN username. Supports username variables. Leave this blank to require individual user credentials at login.
    Password The OpenVPN password. Leave this blank to require individual user credentials at login.
  9. In the Proxy settings field, specify the proxy configuration for your VPN.
    • If your VPN doesn't use a proxy, choose Direct Internet Connection.
    • If your network provides a URL for automatic proxy configuration, choose Automatic Proxy Configuration and provide the URL.
    • To provide the proxy information manually, choose Manual Proxy Configuration.
  10. Click Save to close the dialog.
  11. Click Save changes. Your VPN configuration appears in the list under Settings.

    You can delete a VPN configuration from the list by mousing over it and clicking Revert. Then click Save changes.

Add a Wi-Fi configuration

We recommend you set up at least one wireless network For Devices at the top organizational level in your domain and select it to Automatically connect. This ensures that the Chrome device can access this Wi-Fi network at the sign in screen.
  1. Choose For Devices so that the Wi-Fi network can be accessed by all users of the device.
    • Optionally, you can set up additional networks For Users if the Wi-Fi network should be accessed only by specific users (not guests), or organizations in your domain.
  2. Click Add Wi-Fi. The Add Wi-Fi network dialog appears.
  3. Provide the following information:
    Field Description
    Name The name of this Wi-Fi network entry. This field is for your reference and does not have to match the network's SSID.
    Service set identifier (SSID) The Wi-Fi network's SSID. This is the name that a network broadcasts to identify itself, and that computers use to join it. Note that SSIDs are case-sensitive.
    This SSID is not broadcast Check this box if your network does not broadcast its SSID.
    Automatically connect Check this box if Chrome devices should automatically connect to this wireless network when it's available.
    Security type The security method used by your network.
    • If you select WEP (insecure) or WPA, enter your network's security passphrase.
    • If you select WPA Enterprise (802.1X), specify the additional fields described in step 5.
    • Select None if you do not use a security method.
    Passphrase Your network's security passphrase. Required only for WEP (insecure) and WPA security types.
    Proxy settings The proxy configuration for your network.
    • Choose Direct Internet Connection if your network doesn't use a proxy.
    • Choose Automatic Proxy Configuration if your network provides a URL for automatic proxy configuration. Then enter the URL in the appropriate field.
    • Choose Manual Proxy Configuration to enter the proxy information manually.
  4. If your network's security type is WPA Enterprise (802.1X), specify the following additional information:
    Field Description
    Extensible Authentication Protocol Your network's Extensible Authentication Protocol.
    • EAP-TTLS
    • LEAP
    • PEAP
    • EAP-TLS (only available if you select By Organization for the Wi-Fi network)
    Inner Protocol The protocol to use for the secure connection. Automatic works for most setups. Not required for LEAP or EAP-TLS.
    Outer Identity The user identity presented to the network's outer protocol. Supports username variables. Not required for LEAP.
    Username The username for administering the network. Supports username variables.
    Password The password for the given Username. If you're using a username variable, leave this field blank. Not required for EAP-TLS.
    Server Certificate Authority Defines which authorities to allow when authenticating the certificate provided by the network connection. Not required for LEAP.
    • Use any default Certificate Authority allows a certificate only if it has a chain of trust to one of Chrome's default certificate authorities
    • Do not check (insecure) allows any certificate
    Select Add new certificate to upload your own certificate authority in X.509 PEM format, or choose from certificates you've already uploaded (these options are only available if you select By Organization for the Wi-Fi network). Learn more about managing your certificates.
    Client enrollment URL The URL used to fetch a client certificate if no valid certificate information is provided. Required only for EAP-TLS networks.

    Provide one or more of the following values for Issuer pattern and/or Subject pattern:
    • Common name
    • Locality
    • Organization
    • Organizational unit

    Each value you specify must exactly match the respective value in the certificate in order for the certificate to be used. For example, the common name in the issuer pattern field must be the same as the client common name.

    Your server should provide the certificate with the HTML5 keygen tag.

  5. Click Save to close the dialog.
  6. Click Save changes. Your network configuration appears in the list under Settings.

    To delete a network configuration from the list, hover over it and click Revert.

Add an Ethernet configuration

The ethernet settings you can configure are a subset of the Wi-Fi settings above. Please refer to "Add a Wi-Fi configuration" for details on how to configure ethernet.

Username variables

Your Chrome devices can automatically try to connect to a secure network with the username or full email address of the currently logged-in user. Your users then only need to provide their password to authenticate. To use this feature, specify one of the following variables in the Username and/or Outer identity fields during configuration:
Variable Description
${LOGIN_ID} Expands to the current user's username, e.g., "jsmith".
${LOGIN_EMAIL} Expands to the current user's full email address, e.g., "jsmith@your_domain.com".

Manage certificates

After you set up a Wi-Fi network or VPN, you can manage certificates associated with the network. From Device management > Chrome management > Network > For Users, click Manage Certificates to see your uploaded certificates. You can add new certificates that are in X.509 PEM format, and delete certificates your networks don't use.

For more information about deploying WiFi and networking for Chromebooks, including setting up SSL content filters, see Enterprise networking for Chrome devices.