vsz with google cloud identity: ldap or radius

  • 1
  • Question
  • Updated 3 months ago
  • Answered
We are using vSZ with WPA2 authentication, but we are also are implementing google cloud identy services. According to this post https://forums.ruckuswireless.com/ruckuswireless/topics/vsz-client-authentication-using-google-ldaps we cannot connect directly to vSZ

So now I'm wondering: should I spinup a freeradius server on an ip address which authenticates via the google LDAP (I've got the radius part working via this container https://github.com/hacor/unifi-freeradius-ldap
Or should I spinup something like an LDAP proxy to google on an ip address (never tried that) ?

Is there a difference in performance?

Our vSZ is running on gce. I'm also wondering if I should run this radius/ldap proxy on our local network or on gce for performance reasons...

I hope somebody can help me with these decisions.

Kind regards, Wessel 
Photo of Wessel Louwris

Wessel Louwris

  • 1 Post
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 121 Posts
  • 43 Reply Likes
I still need to test it myself.. but I think an ldap proxy (to just add the certificate authentication that google wants) is probably the easiest option. Google mentions the use of stunnel (https://support.google.com/a/answer/9089736#stunnel) as a proxy but Im not sure if vsz as an ldap client can be tweaked enough to make it work. I would run stunnel in GCE though especially if you have smartzone hosted in GCE as well. You can do the whole authentication over private google IPs even.
Photo of Diego Garcia del Rio

Diego Garcia del Rio

  • 121 Posts
  • 43 Reply Likes
Thanks for the link the the radius-with-google container though.. I guess it can be quite useful in plenty of other situations!