So now I'm wondering: should I spinup a freeradius server on an ip address which authenticates via the google LDAP (I've got the radius part working via this container https://github.com/hacor/unifi-freeradius-ldap) Or should I spinup something like an LDAP proxy to google on an ip address (never tried that) ?
Is there a difference in performance?
Our vSZ is running on gce. I'm also wondering if I should run this radius/ldap proxy on our local network or on gce for performance reasons...
I still need to test it myself.. but I think an ldap proxy (to just add the certificate authentication that google wants) is probably the easiest option. Google mentions the use of stunnel (https://support.google.com/a/answer/9089736#stunnel) as a proxy but Im not sure if vsz as an ldap client can be tweaked enough to make it work. I would run stunnel in GCE though especially if you have smartzone hosted in GCE as well. You can do the whole authentication over private google IPs even.