01-25-2021 07:23 AM
When starting from scratch which would you all prefer? LDAP or radius
01-25-2021 07:48 AM
LDAP as defined in WiFi is insecure, don't use it -- it is mainly MAC authorisation after initial authentication.
01-25-2021 08:09 AM
Would you use Windows NPS or another. For background, the system we use now is Enterasys when I stepped into this role. We currently use a NAC based radius. I have not set us a radius server and my CIO asked why don't we just use LDAP. I am trying to provide him with the information he may need to make a decision.
We have several Ruckus external APs I have configured. We have system wide ruckus switches on SZ ver.5.2 and are looking to swapping our wireless to Ruckus later this year or first of next year.
01-25-2021 01:05 PM
@tommy_nelson Windows NPS is nice because it is simple and interfaces with active directory, but requires a full GUI install of windows server. Personally for me, I like active directory on windows core, more secure and faster updates. I use freeradius instead with ldaps. Works great and no license to worry about. Although a be bit of pain to setup fully.
01-26-2021 12:18 AM
LDAP isn't a bad protocol itself. Problem is that it was never included in WiFi certification specification, as Radius was. So any WiFi system supports RADIUS protocol for authentication directly, and RADIUS protocol has a lot of options to do all you need, but no WiFi equipment directly supports LDAP same way. Option for ldap authorization some WiFi systems have, are nothing more than basic user authentication from LDAP with whitelisting they MAC, which is secure enough for guest networking really.
Theoretically, you could do same things as with RADIUS with LDAP, problem is that support for LDAP functions is not built in WiFi systems. So only real way is to use something (as mentioned by Tommi Nelson FreeRadius, for example) to convert ldap connection to MS AD into RADIUS connection to WiFi system.
Windows NPS is MS realization of that -- RADIUS server which is an interface to MS AD domain database. It is a basic realization, but it comes with any Windows server system for free, and covers basic need -- so NPS is one of the most popular RADIUS servers in corporate networks based on AD.
So, if you already have MS AD in your network, and you need just authorize WiFi users from MS AD, the easiest way is to use NPS. It is simple, free, and is enough for most standard use cases. Any other way with ldap will be for sure more complicated. Using FreeRadius you may have more features, but if you don't need anything extra to basic authentication, I would keep it simple. Even so I don't like to use any MS products if I can help it, this is really way to go, as far as you have MS AD in use...