20250907

projects/gg/20250806-network.md

@@ -0,0 +1,4 @@
+
+
+## Subnets
+

projects/gg/avahi_mdns-reflector/new-nets/20250813-main.md

@@ -0,0 +1,10 @@
+
+## Networks
+
+- gg-lehrer, VLAN: 110, 10.10.115.254/22 (255.255.252.0)
+- gg-lehrer_byod, VLAN: 120: 10.10.120.254/24 (255.255.255.0)
+- gg-schueler-pc, VLAN: 125, 10.10.125.254/24 (255.255.255.0)
+- gg-schueler_byod: VLAN: 130, 10.10.135.254/22 (255.255.252.0)
+- gg-schueler_mdm, VLAN: 140, 10.10.143.254/22 (255.255.252.0)
+- gg-apple, VLAN: 150, 10.10.150.254/24 (255.255.255.0)
+- gg-beamer, VLAN: 155, 10.10.155.254/255.255.255.0

projects/gg/freeradius/20250725_init.md

@@ -0,0 +1,40 @@
+
+## Now
+
+- Probably MS Radius Server. -> Network Policy Server on gg-srv-pd-app-01
+
+![[Pasted image 20250727185114.png]]
+- eap type: secured peap (proprietary?)
+- mschapv2 as second next
+
+## TODO
+
+- [x] ruckus network config
+- [x] network config
+- [x] Ruckus filter via username (identity + group). If user already connected with one device do not allow other device. Measure time -> next 8 hours device is connected and can not connect with other device
+- [x] test authentication with user not being in ldap group
+- [ ] Restrict user login to only one device at a time
+- [ ] Auto logout after 8h
+
+## Notes
+
+- MS AD makes things complicated
+- RADIUS does not get 'good password' from AD which it needs
+
+## Questions
+
+- Which authorization and authentication methods do the iPads use?
+- How should the system behave when the same user connects with different devices?
+- Do we track the used devices?
+- Are rules applied depending on the user or/and on the device?
+
+## Resources 
+
+- [ruckus radius attributes](https://docs.commscope.com/bundle/fastiron-10010-securityguide/page/GUID-15CBE7F1-4898-4311-8A4E-28ED2268BD86.html)
+- <https://www.golinuxcloud.com/configure-freeradius-pap-chap-authentication/>
+- <https://www.freeradius.org/documentation/freeradius-server/3.2.8/concepts/modules/ldap/authentication.html>
+- <https://www.inkbridgenetworks.com/blog/blog-10/how-to-connect-freeradius-to-active-directory-for-authentication-105>
+- <https://www.inkbridgenetworks.com/blog/blog-10/can-you-use-freeradius-and-active-directory-together-121>
+- <https://cloudinfrastructureservices.co.uk/setup-freeradius-active-directory-authentication-integration/>
+- <https://nbailey.ca/post/peap-freeradius/>
+

projects/gg/freeradius/20250726-setup_for_byod.md

@@ -0,0 +1,137 @@
+
+### **FreeRADIUS Setup for Student Network Access (IPv4-Only)**  
+**Context:**  
+- **FreeRADIUS Server IP:** `172.16.2.5`  
+- **AD Server IP:** `172.16.2.10`  
+- **Student VLAN:** `10.10.135.254/22` (ensure this VLAN is isolated and routed to the RADIUS server).  
+- **Goal:**  
+  - Students authenticate via AD.  
+  - Prevent multiple devices per user (same credentials) from connecting.  
+  - Track connected devices per user.  
+
+---
+
+### **1. FreeRADIUS Configuration (Key Sections)**  
+#### **A. LDAP Authentication to AD**  
+Edit `/etc/freeradius/3.0/sites-enabled/inner-tunnel` (or `default`):  
+```ini
+ldap {
+    server = "172.16.2.10"  # AD Server IP  
+    base_dn = "DC=example,DC=com"  # Replace with your domain  
+    bind_dn = "CN=radius,OU=ServiceAccounts,DC=example,DC=com"  # AD service account  
+    bind_password = "your_ad_password"  # AD service account password  
+    ldap_filter = "(sAMAccountName=%{User-Name})"  # Query for user  
+    timeout = 5  
+    retry = 3  
+    start_tls = no  
+}
+```
+- **Note:** Ensure the AD service account has read access to user attributes (e.g., `sAMAccountName`, `userPrincipalName`).  
+
+---
+
+#### **B. Prevent Multiple Devices per User**  
+Use the `Limit` directive to enforce **1 session per user**:  
+```ini
+authorize {
+    ...
+    Limit-User-Name {
+        max = 1  # Max 1 session per user  
+        reject  # Reject if limit is exceeded  
+    }
+}
+```
+- **How it works:**  
+  - The `Limit` directive checks the `User-Name` attribute.  
+  - If a user is already logged in, the second request is rejected.  
+- **Limitations:**  
+  - Requires **persistent session tracking** (e.g., a database or file).  
+  - FreeRADIUS itself does not natively track active sessions.  
+
+#### **C. Track Connected Devices (Optional)**  
+If you need to **track devices per user**, use a **database** (e.g., MySQL, PostgreSQL) or a **file** to store active sessions. Example:  
+```ini
+authorize {
+    ...
+    if (User-Name == "student1") {
+        update {
+            User-Name := "student1"
+            Framed-IP-Address := "%{Framed-IP-Address}"
+            Calling-Station-Id := "%{Calling-Station-Id}"
+        }
+    }
+}
+```
+- **Store this data in a database** to check for duplicates.  
+- Use `radacct` for accounting records (requires `accounting` section).  
+
+---
+
+### **2. VLAN Configuration (Network Layer)**  
+Ensure the **student VLAN** (`10.10.135.254/22`) is properly routed to the RADIUS server:  
+- **NAS (Network Access Server):**  
+  - Configure the NAS to send the **`Framed-Interface-Id`** (VLAN ID) in the RADIUS request.  
+  - Example:  
+    ```ini
+    [nas]
+    type = other
+    shortname = NAS-Name
+    secret = shared_secret
+    framed-interface-id = 135  # VLAN ID
+    ```
+- **Firewall Rules:**  
+  - Allow traffic between the student VLAN and the RADIUS server (`172.16.2.5`).  
+  - Block unauthorized access to the VLAN.  
+
+---
+
+### **3. NAS Configuration (Example: Cisco IOS)**  
+If using a router as the NAS:  
+```bash
+aaa authentication login default group radius local  
+aaa authentication login default group radius  
+aaa authorization network default group radius  
+aaa accounting network default start-stop group radius  
+
+radius-server host 172.16.2.5 key your_shared_secret  
+radius-server vsa send-template  
+```
+- Ensure the NAS sends the **`Calling-Station-Id`** (MAC address) and **`Framed-IP-Address`** in the RADIUS request.  
+
+---
+
+### **4. Testing and Debugging**  
+1. **Test LDAP Authentication:**  
+   - Use `radtest` to simulate a login:  
+     ```bash
+     radtest student1 password 172.16.2.5 1812 testing123
+     ```
+2. **Check Logs:**  
+   - `/var/log/freeradius/radius.log` for authentication errors.  
+3. **Monitor Active Sessions:**  
+   - Use `radwho` or a database query to list active users.  
+
+---
+
+### **5. Advanced: Session Tracking with a Database**  
+If you need precise tracking, set up a database (e.g., MySQL) with a table like:  
+```sql
+CREATE TABLE active_sessions (
+    username VARCHAR(255) PRIMARY KEY,
+    ip_address VARCHAR(45),
+    mac_address VARCHAR(45),
+    session_id VARCHAR(255),
+    timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);
+```
+- Update the RADIUS config to insert session data into the table.  
+- Use a script to clean up old sessions (e.g., every 5 minutes).  
+
+---
+
+### **Final Notes**  
+- **Security:** Ensure the RADIUS secret and AD credentials are encrypted.  
+- **Scalability:** For large deployments, use a **database** to track sessions.  
+- **Fallback:** If the `Limit` directive is insufficient, use a **script** to check the database for active sessions and reject new ones.  
+
+This configuration ensures students authenticate via AD, prevents multiple devices per user, and isolates their VLAN for secure access.

projects/gg/freeradius/20250728-FreeRADIUS-docs.md

@@ -0,0 +1,16 @@
+
+## Authenticating Users with LDAP
+
+Please be aware the FreeRADIUS is an AAA server, and LDAP is a _database_. This separation of roles means that FreeRADIUS supports multiple kinds of authentication protocols such as `PAP`, `CHAP`, `MS-CHAP`, etc. An LDAP database supports only one authentication method: "bind as user". This authentication method is compatible only with PAP.
+
+Our recommendation is to use LDAP as a database. FreeRADIUS should read the "known good" password from LDAP, and then use that information to authenticate the user. It is almost always wrong to use the LDAP "bind as user" method for authenticating users.
+
+The only caveat to the above recommendation is Active Directory. For "security" reasons, Active Directory will not return the "known good" password to FreeRADIUS over a standard LDAP query. Therefore when Active Directory is used, the choices are:
+
+PAP
+
+- Use "bind as user"
+
+[MS-CHAP::](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) Use [`ntlm`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/ntlm_auth) and [`winbind`](https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/mods-available/mschap) configuration.
+
+Due to the limitations of Active Directory, There are unfortunately no other possible choices.

projects/gg/freeradius/homelab/20250726-test_environment-homelab.md

@@ -0,0 +1,189 @@
+
+To configure your **FreeRADIUS server** for **LDAP authentication** (via LDAPS) in your home lab, follow these steps. The configuration will ensure the Unifi Access Point (AP) can authenticate users against your LDAP server (AD) via the FreeRADIUS server.
+
+---
+
+### **1. Install Required Packages**
+Install **FreeRADIUS** and the necessary modules. Since you're using **FreeRADIUS 3.2.1**, ensure you install the correct version. On **Proxmox**, you can use `apt` or install via Docker.
+
+#### **For Ubuntu/Debian (if using a VM or bare metal):**
+```bash
+sudo apt update
+sudo apt install freeradius freeradius-ldap freeradius-mysql
+```
+
+#### **If using Docker (optional):**
+```bash
+docker run -d \
+  --name freeradius \
+  --network host \
+  --restart unless-stopped \
+  --volume /path/to/config:/etc/freeradius \
+  --volume /path/to/ldap-cert:/etc/ssl/certs \
+  --volume /path/to/mariadb:/var/lib/mysql \
+  freeradius/freeradius:3.2.1
+```
+
+---
+
+### **2. Configure FreeRADIUS to Use LDAP (LDAPS)**
+
+#### **2.1. Edit `radiusd.conf`**
+Set the listening address to **IPv4 and IPv6**:
+```bash
+sudo nano /etc/freeradius/radiusd.conf
+```
+Update the following lines:
+```ini
+listen { 
+    ipaddr = 0.0.0.0
+    port = 1812
+    instance = main
+}
+
+listen {
+    ipaddr = ::
+    port = 1812
+    instance = main
+}
+```
+
+#### **2.2. Configure LDAP Backend in `ldap` Module**
+Create or edit the LDAP configuration file:
+```bash
+sudo nano /etc/freeradius/ldap
+```
+Add the following (replace placeholders with your actual values):
+```ini
+ldap {
+    server = ad.reliyya.xyz
+    port = 6360
+    timeout = 5
+    bind = yes
+    base_dn = DC=reliyya,DC=xyz
+    filter = (objectClass=person)
+    start_tls = yes
+    ldap_tls_cafile = /etc/ssl/certs/ca-certificates.crt
+    ldap_tls_cacertdir = /etc/ssl/certs
+    ldap_tls_certfile = /etc/ssl/certs/client-cert.pem
+    ldap_tls_keyfile = /etc/ssl/certs/client-key.pem
+}
+```
+
+**Key Notes:**
+- `server` = DNS entry for your LDAP server (`ad.reliyya.xyz`).
+- `port` = LDAPS port (`6360`).
+- `start_tls = yes` enables TLS (if your LDAP server uses LDAPS).
+- If your LDAP server requires a certificate, specify `ldap_tls_cafile` or `ldap_tls_cacertdir`.
+
+#### **2.3. Configure `ldap` Module in `radiusd.conf`**
+Enable the LDAP module:
+```bash
+sudo nano /etc/freeradius/radiusd.conf
+```
+Add this line under `[modules]`:
+```ini
+ldap
+```
+
+#### **2.4. Configure `users` File (Optional)**
+If you want to test without LDAP, you can use a static user:
+```bash
+sudo nano /etc/freeradius/users
+```
+Add:
+```ini
+testuser Cleartext-Password := "password"
+```
+
+---
+
+### **3. Configure Clients in `clients.conf`**
+Set up the Unifi controller as a client:
+```bash
+sudo nano /etc/freeradius/clients.conf
+```
+Add:
+```ini
+client unifi-controller {
+    ipaddr = 10.56.0.0/24
+    secret = your_shared_secret
+    require_client_certificate = no
+}
+```
+Replace `your_shared_secret` with a secure password (same on Unifi controller).
+
+---
+
+### **4. Test LDAP Connectivity**
+Verify the LDAP server is reachable:
+```bash
+ldapsearch -x -H ldaps://ad.reliyya.xyz:6360 -b "DC=reliyya,DC=xyz" -D "CN=testuser,DC=reliyya,DC=xyz" -w password
+```
+Replace `testuser` and `password` with a valid LDAP user.
+
+---
+
+### **5. Test FreeRADIUS Authentication**
+Use `radtest` to test authentication:
+```bash
+radtest testuser password 10.56.1.251 0 testing123
+```
+If successful, you'll see:
+```
+Sending Access-Request of type Auth-Request
+...
+Access-Accept
+```
+
+---
+
+### **6. Configure Unifi Controller to Use FreeRADIUS**
+1. Log in to the Unifi controller web UI.
+2. Navigate to **Network > Radius**.
+3. Add a new RADIUS server:
+   - **Name**: `radius.reliyya.xyz`
+   - **IP Address**: `radius.reliyya.xyz` (DNS entry)
+   - **Port**: `1812` (Authentication), `1813` (Accounting)
+   - **Shared Secret**: `your_shared_secret`
+   - **NAS ID**: `unifi-controller`
+4. Save and test the connection.
+
+---
+
+### **7. Optional: Set Up MariaDB for Session Tracking**
+If you want to store session data:
+1. Install MariaDB:
+   ```bash
+   sudo apt install mariadb-server
+   ```
+2. Configure `radiusd.conf` to use MySQL:
+   ```bash
+   sudo nano /etc/freeradius/radiusd.conf
+   ```
+   Add:
+   ```ini
+   mysql
+   ```
+3. Configure `sql` module in `radiusd.conf`:
+   ```bash
+   sudo nano /etc/freeradius/sql.conf
+   ```
+   Set the database connection details and table schema.
+
+---
+
+### **8. Security Considerations**
+- Ensure **TLS is enforced** for LDAPS.
+- Use **strong secrets** for RADIUS and LDAP.
+- Restrict access to the FreeRADIUS server via OPNsense firewall.
+
+---
+
+### **Summary**
+- **Packages**: `freeradius`, `freeradius-ldap`, `freeradius-mysql`
+- **Key Config Files**: `radiusd.conf`, `ldap`, `clients.conf`, `users`
+- **LDAP Server**: Use `ad.reliyya.xyz:6360` with TLS
+- **Unifi Controller**: Point to `radius.reliyya.xyz` with shared secret
+
+Let me know if you need help with certificate setup or advanced LDAP filters! 🚀

projects/gg/freeradius/homelab/20250726-tls_certs_peap.md

@@ -0,0 +1,134 @@
+
+The error **"TLS Alert: fatal: unknown CA"** indicates that the client (your phone) is trying to establish a **TLS connection** with the FreeRADIUS server, but it **cannot verify the server's certificate** because the **CA (Certificate Authority)** is not trusted. This is a **common issue when using PEAP (Protected Extensible Authentication Protocol)** with TLS. Let's fix it step by step.
+
+---
+
+### **1. Understand the Root Cause**
+- **PEAP (PEAP-MSCHAPv2)** requires **TLS** for secure communication.
+- Your phone is trying to connect to the FreeRADIUS server using **PEAP**, but the server is not presenting a **trusted certificate**.
+- The client (phone) is not trusting the **CA** that signed the server's certificate.
+
+---
+
+### **2. Fix: Configure TLS for PEAP on FreeRADIUS**
+You need to **set up a valid TLS certificate** for the FreeRADIUS server. Here's how:
+
+#### **A. Generate a Self-Signed Certificate (For Testing)**
+If you're in a testing environment, you can create a **self-signed certificate**. This will work for testing but won't be trusted by phones (unless manually added).
+
+1. **Generate a private key and certificate:**
+   ```bash
+   openssl req -x509 -newkey rsa:2048 -keyout /etc/freeradius/certs/your_radius_server.key -out /etc/freeradius/certs/your_radius_server.crt -days 365 -nodes
+   ```
+   - Replace `your_radius_server.crt` and `your_radius_server.key` with your server's certificate and key.
+
+2. **Set correct permissions:**
+   ```bash
+   chown -R freeradius:freeradius /etc/freeradius/certs/
+   chmod 600 /etc/freeradius/certs/your_radius_server.key
+   chmod 644 /etc/freeradius/certs/your_radius_server.crt
+   ```
+
+#### **B. Configure FreeRADIUS to Use the Certificate**
+Update `/etc/freeradius/eap.conf` to use the certificate:
+
+```ini
+eap {
+    default_eap_type = peap
+    timer_expire = 60
+    max_sessions = 256
+
+    peap {
+        # Path to your certificate and key
+        certificate = /etc/freeradius/certs/your_radius_server.crt
+        private_key = /etc/freeradius/certs/your_radius_server.key
+        ca_list = /etc/freeradius/certs/ca.crt  # Optional: If you're using a chain
+        dh_file = /etc/freeradius/certs/dh2048.pem  # Optional: Diffie-Hellman parameters
+    }
+}
+```
+
+- If you're using a **self-signed certificate**, skip the `ca_list` line.
+- If you're using a **trusted CA**, ensure the `ca_list` contains the CA's certificate.
+
+#### **C. Generate Diffie-Hellman Parameters (Optional)**
+For stronger TLS security:
+```bash
+openssl dhparam -out /etc/freeradius/certs/dh2048.pem 2048
+```
+
+---
+
+### **3. Ensure the Client (Phone) Trusts the Certificate**
+If you're using a **self-signed certificate**, the phone must trust it manually. Here's how:
+
+#### **A. Export the Server's Certificate**
+1. Use `openssl` to extract the certificate from the `.crt` file:
+   ```bash
+   openssl x509 -in /etc/freeradius/certs/your_radius_server.crt -outform der -out /path/to/cert.der
+   ```
+
+2. Convert it to PEM format (optional):
+   ```bash
+   openssl x509 -in your_radius_server.crt -out your_radius_server.pem
+   ```
+
+#### **B. Install the Certificate on the Phone**
+- **Android**: 
+  1. Go to **Settings > Security > Trusted Credentials > User Certificates**.
+  2. Import the `.der` or `.pem` file.
+- **iOS**:
+  1. Go to **Settings > General > About > Certificate Trust Settings**.
+  2. Add the certificate to the trusted list (may require a certificate from a trusted CA).
+
+#### **C. Use a Trusted CA (Recommended for Production)**
+If you're using a certificate from a **trusted CA** (e.g., Let's Encrypt), ensure:
+- The certificate is correctly installed.
+- The **CA chain** is complete (e.g., intermediate certificates are included).
+- The phone's trust store includes the CA's certificate.
+
+---
+
+### **4. Verify FreeRADIUS TLS Configuration**
+1. **Restart FreeRADIUS**:
+   ```bash
+   systemctl restart freeradius
+   ```
+
+2. **Check Logs for TLS Errors**:
+   ```bash
+   tail -f /var/log/freeradius/radius.log
+   ```
+   Look for:
+   - `TLS: Server certificate is not trusted`
+   - `TLS: No trusted certificate found`
+
+3. **Test with `radtest`** (Ensure PEAP is working):
+   ```bash
+   radtest testuser password 10.56.1.251 0 YOUR_SHARED_SECRET
+   ```
+
+---
+
+### **5. Advanced: Debug TLS Handshake**
+If the issue persists, enable **TLS debugging** in `eap.conf`:
+```ini
+eap {
+    debug = yes
+    ...
+}
+```
+Then check the logs for detailed TLS handshake errors.
+
+---
+
+### **Summary of Fixes**
+| Step | Action |
+|------|--------|
+| 1 | Generate a valid TLS certificate (self-signed or trusted CA) |
+| 2 | Configure FreeRADIUS to use the certificate in `eap.conf` |
+| 3 | Install the certificate on the phone (or ensure the CA is trusted) |
+| 4 | Restart FreeRADIUS and verify TLS is working |
+| 5 | Debug with `debug = yes` if issues persist |
+
+After these steps, the **"unknown CA"** error should resolve, and your phone should be able to connect securely via PEAP. Let me know if you need help with certificate chains or CA trust setup! 🚀

projects/gg/packetfence/20250819-homelab-test.md

@@ -0,0 +1,10 @@
+
+**Database root Account**
+
+username: root
+password: `d(HF8[ADT(lU1OYw`
+
+**Database User Account**
+
+username: pf
+password: `2{Jyc71TPAijjQ8z`