# Advanced Guide: LDAP Authentication on Ruckus vSZ via Azure AD Domain Services (Azure AD DS)

Since **Ruckus Virtual SmartZone (vSZ) does not support SAML authentication** for admin logins, you must use **Azure AD Domain Services (Azure AD DS)** to provide an LDAP interface that vSZ can authenticate against.

Below is a more detailed breakdown, including user group mappings and troubleshooting.

---

### **1. Configure Azure AD Domain Services (Azure AD DS) for LDAP**

#### **Step 1: Enable Azure AD DS**

1. **Log in to Azure Portal**.
2. **Go to "Azure AD Domain Services" (AAD DS)** and create a **managed domain**:
    
    
    - Set the **DNS domain name** (e.g., `corp.yourcompany.local`).
    - Choose a **resource group** and **region**.
    - Select an **Azure Virtual Network (VNet)** (Ensure vSZ can reach this network).
3. **Synchronize Users from Azure AD to Azure AD DS**:
    
    
    - Azure AD DS automatically synchronizes users and groups from Azure AD.
    - Users must have **Kerberos and NTLM authentication enabled** (this is automatic for synced users).

#### **Step 2: Enable Secure LDAP (LDAPS)**

1. **Enable Secure LDAP** under **Azure AD DS > Properties**.
2. **Download and install the SSL certificate** for LDAPS.
3. **Allow LDAP over SSL (TCP 636)** through your **Network Security Group (NSG)**.

#### **Step 3: Verify LDAP Access**

1. Run the following command from a machine that can reach Azure AD DS:
    
    <div class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"><div class="sticky top-9"></div><div class="overflow-y-auto p-4" dir="ltr">`ldp.exe`</div></div>
2. Connect to **`yourdomain.local`** on **port 636**.
3. Bind using an Azure AD DS **admin account**.
4. If successful, LDAP is ready.

---

### **2. Configure LDAP Authentication on Ruckus vSZ**

#### **Step 1: Add an LDAP Server**

1. **Log in to vSZ Web UI**.
2. Navigate to **Administration &gt; AAA Servers**.
3. Click **Create** and select **LDAP**.
4. Fill in the LDAP server details:
    
    
    - **Server Address**: Enter the **IP Address of Azure AD DS**.
    - **Port**: `636` (for LDAPS).
    - **Bind DN**: A service account in Azure AD DS, e.g.: <div class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"><div class="sticky top-9"></div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-attr">cn</span>=admin,ou=Users,dc=yourcompany,dc=local`</div></div>
    - **Password**: The service account's password.
    - **Base DN**: The starting point for LDAP searches, e.g.: <div class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"><div class="sticky top-9"></div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-attr">dc</span>=yourcompany,dc=local`</div></div>
    - **User Attribute**: `sAMAccountName`
    - **SSL**: **Enable LDAPS**
    - **Certificate**: Upload the LDAPS certificate from Azure AD DS.
5. **Click Test Connection** to verify authentication.

---

### **3. Configure User Group Mappings**

Since Azure AD DS syncs groups from Azure AD, you can **map LDAP groups to Ruckus admin roles**.

#### **Step 1: Find LDAP Group DNs**

1. Run **`ldp.exe`** and connect to Azure AD DS.
2. Browse to **OU=Groups** to locate the full **Distinguished Name (DN)** of groups, e.g.: <div class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"><div class="sticky top-9"></div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-attr">cn</span>=WiFiAdmins,ou=Groups,dc=yourcompany,dc=local`</div></div>

#### **Step 2: Assign LDAP Groups in vSZ**

1. **Go to "Administration &gt; Users &amp; Roles"**.
2. **Create a new User Group**.
3. **Select "Authentication Type: LDAP"**.
4. **Enter Group DN**, e.g.:
    
    <div class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"><div class="sticky top-9"></div><div class="overflow-y-auto p-4" dir="ltr">`<span class="hljs-attr">cn</span>=WiFiAdmins,ou=Groups,dc=yourcompany,dc=local`</div></div>
5. Assign appropriate **permissions (e.g., System Admin, Read-Only Admin, etc.)**.
6. **Save and Apply**.

---

### **4. Troubleshooting LDAP Authentication on vSZ**

#### **Issue 1: LDAP Connection Fails**

- **Check firewall rules:** Allow **TCP 636** from vSZ to **Azure AD DS**.
- **Verify LDAPS certificate:** Upload it again if necessary.
- **Ensure service account has permissions** to query LDAP.

#### **Issue 2: Users Cannot Log In**

- **Confirm correct Base DN:** Run `ldp.exe` to verify the correct structure.
- **Ensure correct user attribute (`sAMAccountName`)** in vSZ settings.
- **Try logging in with UPN (`user@yourdomain.com`)** instead of the username.

#### **Issue 3: Group Mappings Do Not Work**

- Use **full group DN** (not just the group name).
- Ensure users are in the **correct group** in Azure AD DS.
- Run `ldapsearch` to manually verify group membership.

---

### **Final Thoughts**

Using **Azure AD DS with LDAPS** is the best way to integrate Azure authentication with **Ruckus Virtual SmartZone (vSZ)**. With proper **LDAP configuration and group mappings**, you can ensure **secure authentication** and centralized management.