20250907

2025-09-07 13:07:01 +02:00
parent c83d178b77
commit 584265c22c
92 changed files with 3011 additions and 100 deletions
--- a/projects/gg/freeradius/20250725_init.md
+++ b/projects/gg/freeradius/20250725_init.md
@@ -0,0 +1,40 @@
+
+## Now
+
+- Probably MS Radius Server. -> Network Policy Server on gg-srv-pd-app-01
+
+![[Pasted image 20250727185114.png]]
+- eap type: secured peap (proprietary?)
+- mschapv2 as second next
+
+## TODO
+
+- [x] ruckus network config
+- [x] network config
+- [x] Ruckus filter via username (identity + group). If user already connected with one device do not allow other device. Measure time -> next 8 hours device is connected and can not connect with other device
+- [x] test authentication with user not being in ldap group
+- [ ] Restrict user login to only one device at a time
+- [ ] Auto logout after 8h
+
+## Notes
+
+- MS AD makes things complicated
+- RADIUS does not get 'good password' from AD which it needs
+
+## Questions
+
+- Which authorization and authentication methods do the iPads use?
+- How should the system behave when the same user connects with different devices?
+- Do we track the used devices?
+- Are rules applied depending on the user or/and on the device?
+
+## Resources 
+
+- [ruckus radius attributes](https://docs.commscope.com/bundle/fastiron-10010-securityguide/page/GUID-15CBE7F1-4898-4311-8A4E-28ED2268BD86.html)
+- <https://www.golinuxcloud.com/configure-freeradius-pap-chap-authentication/>
+- <https://www.freeradius.org/documentation/freeradius-server/3.2.8/concepts/modules/ldap/authentication.html>
+- <https://www.inkbridgenetworks.com/blog/blog-10/how-to-connect-freeradius-to-active-directory-for-authentication-105>
+- <https://www.inkbridgenetworks.com/blog/blog-10/can-you-use-freeradius-and-active-directory-together-121>
+- <https://cloudinfrastructureservices.co.uk/setup-freeradius-active-directory-authentication-integration/>
+- <https://nbailey.ca/post/peap-freeradius/>
+