LDAP’s importance cannot be denied. As a protocol, it has greatly simplified the directory search process. Unfortunately, as time goes on, LDAP has begun to grow outdated, especially given its association with on-premise hardware and legacy systems. This is why many providers have tried to revamp the old protocol to keep it up to today’s standards, such as with Google Secure LDAP.
One of LDAP’s historic uses has been to authenticate users. Can Google Secure LDAP be used in a similar manner for Wi-Fi? Our mission in this article is to explore whether Google Secure LDAP can be used for Wi-Fi authentication and how it works.
What is Google Secure LDAP?
Let’s start our exploration by introducing you to Google Secure LDAP. Lightweight Directory Access Protocol (aka LDAP) is a protocol designed for rapid directory queries. It can search for information regarding users and credentials, which is why it has been frequently used for providing authentication and authorization.
The easiest way to picture all this is to imagine a library. If the library is the directory of user and device information, then LDAP is your trusty, speedy librarian. When a resource wants to confirm that a user should have access to it, the LDAP librarian is able to quickly dive into the LDAP server library, locate information on the user, and present it in an understandable format.
If this sounds convenient and easy, that’s because it is! But LDAP, despite its usefulness, is not without its flaws. In a rapidly changing cybersecurity landscape, it simply isn’t very secure anymore. That’s why certain providers like Google have designed more secure iterations, such as Google Secure LDAP.
Instead of sending credentials in a clear text format like traditional LDAP, Google Secure LDAP uses encryption through certificates to protect your information. Google Secure LDAP also breaks away from the tradition of on-prem LDAP servers by using a powerful cloud-based server instead. As a result, users have access to it from anywhere, and Google Secure LDAP integration works with any of your LDAP-compatible applications.
Google Secure LDAP and Your Wi-Fi
We’ll answer the question posed at the beginning of this article first; yes, Google Secure LDAP can be used for Wi-Fi authentication. It has all the same functionality of the LDAP that so many people have grown accustomed to using.
How it works is fairly simple. If you can imagine a circular line with Wi-Fi access at the far side of it, Google Secure LDAP sits somewhere in the middle, like a gate that can be unlocked after authentication. You’d likely have a RADIUS server to authenticate for you, and the RADIUS would communicate with an LDAP server, which in turn would communicate with Google Identity.
Once your identity has been confirmed, the RADIUS sends an access accept back to you. You are then granted access to the Wi-Fi network. See the above graphic for a visual illustration of what we’re describing.
The problem with this setup is that it takes more steps than it has to. Additionally, you’d need to pay for Google’s premium identity service, which can be costly.
Google Secure LDAP vs RADIUS: What’s the Difference?
Since Google Secure LDAP and RADIUS can both be used for authentication purposes, it’s natural to have questions about what the difference is between them and which is the superior authentication method.
In short, a RADIUS server essentially works like a bouncer standing at the gate of your network. If you’re using certificate-based authentication, the RADIUS will quickly confirm whether the certificate is valid and reject or accept the user accordingly. RADIUS can also check user credentials by cross referencing an Identity Provider (IDP) such as Azure, Okta, or Google at the moment of authentication. SecureW2’s Cloud RADIUS even supports identity lookup, which makes it possible for the RADIUS to check an IDP with certificates.
Basic LDAP and RADIUS have quite a few differences. For instance, LDAP uses insecure, credential-based authentication, while RADIUS can work with credentials or certificates. RADIUS, unlike traditional LDAP, can also be cloud-based as opposed to on-prem, which makes it much more scalable.
Google Secure LDAP solves these flaws with LDAP. Although it can still integrate with LDAP-compatible applications that utilize credentials, it normally uses certificates. It also utilizes cloud-based LDAP servers. Your LDAP applications and infrastructure can either be on-prem or cloud-based while using Google Secure LDAP.
There’s no reason you couldn’t use Google Secure LDAP and RADIUS together, though. The real question here is whether you should do so.
Should I Be Using Google Secure LDAP?
Google Secure LDAP is unquestionably a step up from its predecessor, LDAP – especially with its certificate-based authentication and cloud-based LDAP server. Even so, there are some noteworthy disadvantages to it.
One disadvantage is that it can only be used with LDAP-compatible applications. While LDAP is still a fairly common protocol these days, more and more applications are moving away from it in favor of more secure alternatives. This means that even Google Secure LDAP may not be as viable in the long run.
Another flaw is that even though Google Secure LDAP can be used with certificates for added security, many LDAP clients will still require you to use both certificates and credentials. Credentials are demonstrably less secure.
Using Google Secure LDAP also requires you to pay for the premium LDAP server. This can be expensive. What’s more, as you can see in our illustration above, the LDAP server simply adds another step to the authentication process that doesn’t need to be there. You don’t need to add an LDAP server to the mix – you can tie your Google directly to your Wi-Fi authentication, which our Cloud RADIUS enables.
The way it works is through a protocol called Security Assertion Markup Language (SAML). Unlike LDAP, SAML was designed from the ground up for a cloud-based environment.
You’ll get a range of benefits by switching to SAML. Because it was designed for the cloud, it’s more viable in the long-term. It can also be used to configure easy, secure Single Sign-On (SSO). Furthermore, it pairs well with RADIUS servers like our Cloud RADIUS for improved, user-friendly authentication.
Without LDAP, there’s no need to use an additional LDAP server. This cuts an unnecessary step out of the authentication process and can save you the cost involved with paying for the Google Secure LDAP server.
SAML is Superior to Secure LDAP
If you’re using LDAP-compatible applications, Google Secure LDAP isn’t necessarily a bad idea. After all, it does make some much-needed improvements to the protocol, including cloud-based servers and the usage of certificates.
At the end of the day, SAML is simply more viable long-term. It was specifically created to be used in an increasingly cloud-based environment. Regardless of whether you use LDAP or SAML, however, SecureW2’s RADIUS is a no-brainer.
Our RADIUS works with LDAP, secure LDAP, and SAML, increasing the integrity of your authentication by verifying credentials or certificates. Read more about how one of our customers made the leap to Cloud RADIUS on their journey to certificate-based authentication.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Amanda Tucker. Read the original post at: https://www.securew2.com/blog/can-i-use-google-secure-ldap-for-wi-fi