Skip to main content

1 Message

 • 

72 Points

Thu, Apr 9, 2020 10:14 PM

Answered

vsz with google cloud identity: ldap or radius

We are using vSZ with WPA2 authentication, but we are also are implementing google cloud identy services. According to this post https://forums.ruckuswireless.com/ruckuswireless/topics/vsz-client-authentication-using-google-ldaps we cannot connect directly to vSZ

So now I'm wondering: should I spinup a freeradius server on an ip address which authenticates via the google LDAP (I've got the radius part working via this container https://github.com/hacor/unifi-freeradius-ldap
Or should I spinup something like an LDAP proxy to google on an ip address (never tried that) ?

Is there a difference in performance?

Our vSZ is running on gce. I'm also wondering if I should run this radius/ldap proxy on our local network or on gce for performance reasons...

I hope somebody can help me with these decisions.

Kind regards, Wessel 

Responses

128 Messages

 • 

2.4K Points

8 months ago

I still need to test it myself.. but I think an ldap proxy (to just add the certificate authentication that google wants) is probably the easiest option. Google mentions the use of stunnel (https://support.google.com/a/answer/9089736#stunnel) as a proxy but Im not sure if vsz as an ldap client can be tweaked enough to make it work. I would run stunnel in GCE though especially if you have smartzone hosted in GCE as well. You can do the whole authentication over private google IPs even.

128 Messages

 • 

2.4K Points

8 months ago

Thanks for the link the the radius-with-google container though.. I guess it can be quite useful in plenty of other situations!