CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20250726-regular commit

Browse Source
This commit is contained in:
Petar Cubela
2025-07-26 11:50:53 +02:00
parent b79839500c
commit c83d178b77
21 changed files with 1085 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
projects/firewall-migrations/bgsm/20250527-ueberblick-uebernahme.md → projects/bgsm/202506-fw-migration/20250527-ueberblick-uebernahme.md
View File

0
projects/bgsm/20250617-fw-migration-prep.md → projects/bgsm/202506-fw-migration/20250617-fw-migration-prep.md
View File

0
projects/bgsm/20250625-migration.md → projects/bgsm/202506-fw-migration/20250625-migration.md
View File

0
projects/bvv/202507-newsletter.md → projects/bvv/202506-newsletter/202507-newsletter.md
View File

4
projects/cqse/fw-migration/20250718-main.md
View File

@@ -1,3 +1,7 @@
## 20250721-Meeting
- 19.08.2025 Termin fuer Firewall Migration
## General

24
projects/dav/202507-azure-migration-tool/20250718-azure-migrate-linux-vms.md Normal file
View File

@@ -0,0 +1,24 @@
## 20250722 - On-Premisses
- Linux Server:
- 6 Server
- 172.16.170.???
## Notes Meeting
- Azure Migrate Appliance Configuration Manager
- from hyper-v to azure.
- it scans the network, finds the vms, connects to them and uses all required information to migrate it
- Runs from a Windows Server via Software
- <https://learn.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-physical?view=migrate-classic>
- Spaetestens Dienstag (23.07)
## 20250721
- <https://learn.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-physical?view=migrate-classic>
- <https://learn.microsoft.com/en-us/azure/migrate/migrate-support-matrix-hyper-v?view=migrate-classic#dependency-analysis-requirements-agentless>
- <https://learn.microsoft.com/en-us/azure/migrate/tutorial-discover-hyper-v?view=migrate-classic>

9
projects/dav/20250718-azure-migrate-linux-vms.md
View File

@@ -1,9 +0,0 @@
- Azure Migrate Appliance Configuration Manager
- from hyper-v to azure.
- it scans the network, finds the vms, connects to them and uses all required information to migrate it
- Runs from a Windows Server via Software
- <https://learn.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-physical?view=migrate-classic>
- Spaetestens Dienstag (23.07)

178
projects/gg/freeradius/20250725-radius-laerning-01.md Normal file
View File

@@ -0,0 +1,178 @@
### **FreeRADIUS Crash Course for a School Environment with AD Integration (IPv4-Only)**
*(Softbox MSP Focus: IPv4-Only, No IPv6 Support)*
---
### **1. What is RADIUS?**
**RADIUS (Remote Authentication Dial-In User Service)** is a network protocol for centralized authentication, authorization, and accounting (AAA). Its used in:
- **Wireless networks** (802.1X)
- **DSL modems**
- **VPN gateways**
- **Switches/APs**
**Key Components:**
- **Client (NAS):** Network Access Server (e.g., switch, AP, firewall) that sends user credentials to the RADIUS server.
- **Server (RADIUS):** Validates credentials against a backend (e.g., AD, LDAP, SQL).
- **Protocol Flow:**
1. User authenticates (e.g., via Wi-Fi, SSH, or PPP).
2. NAS sends an **Access-Request** to the RADIUS server.
3. Server checks credentials against a backend (e.g., AD).
4. Server replies with **Access-Accept**, **Access-Reject**, or **Accounting-Request**.
---
### **2. Key Features of FreeRADIUS**
FreeRADIUS is an open-source RADIUS server with:
- **Modular architecture** (plugins for LDAP, SQL, EAP, etc.).
- **IPv4 support** (standard for Softbox MSP).
- **EAP (Extensible Authentication Protocol)** for secure 802.1X.
- **Accounting** for usage tracking (e.g., bandwidth, login times).
- **Proxying** for load balancing or multi-site setups.
---
### **3. Architecture for Your School Use Case**
**Scenario:**
- **MS DC/AD** handles user identities (e.g., `students`, `staff`, `guests`).
- **FreeRADIUS** acts as the central AAA server.
- **NAS devices** (e.g., Proxmox VMs, VMware ESXi hosts, APs) forward RADIUS requests.
**Workflow:**
1. **User connects** to the network (e.g., via Wi-Fi).
2. **NAS** sends user credentials to **FreeRADIUS** (via IPv4).
3. **FreeRADIUS** queries **AD/LDAP** for authentication.
4. **FreeRADIUS** authorizes the user (e.g., assign VLANs, limit bandwidth).
5. **Accounting** logs are stored for billing/monitoring.
---
### **4. Step-by-Step Setup (IPv4-Only)**
#### **A. Prerequisites**
- **Linux Server** (e.g., Ubuntu/Debian/Proxmox VM).
- **IPv4 connectivity** (ensure `ipv4` is enabled in kernel and network).
- **AD/LDAP integration** (e.g., Microsoft Active Directory).
- **TLS/SSL** for secure communication (required for RADIUS).
---
#### **B. Install FreeRADIUS**
```bash
# Debian/Ubuntu
sudo apt update
sudo apt install freeradius freeradius-utils
```
---
#### **C. Configure FreeRADIUS for AD Integration**
1. **LDAP Configuration (AD):**
Edit `/etc/freeradius/3.0/sites-enabled/inner-tunnel` (or `default`):
```ini
ldap {
server = "ad.example.com" # AD DC IPv4 address
base_dn = "DC=example,DC=com"
bind_dn = "CN=radius,CN=Users,DC=example,DC=com"
bind_password = "your-ad-password"
filter = "(sAMAccountName=%{User-Name})"
attribute = sAMAccountName
timeout = 5
start_tls = yes
}
```
**Note:** Use `ldapsearch` to test LDAP connectivity.
2. **Authentication Method:**
In `/etc/freeradius/3.0/sites-enabled/inner-tunnel`, replace `auth` with:
```ini
authenticate {
ldap
}
```
3. **Authorization Rules:**
Add policies to assign VLANs or bandwidth limits:
```ini
authorize {
ldap
policy filter-ipv4 {
if (User-Name =~ /^student/) {
Tunnel-Type = VLAN
Tunnel-Medium-Type = 6
Tunnel-Client-Endpoint = "ipv4"
}
}
}
```
---
#### **D. Configure RADIUS Clients (NAS)**
Edit `/etc/freeradius/3.0/clients.conf`:
```ini
client NAS-IPv4-Address {
ipaddr = 192.168.1.1 # Replace with NAS's IPv4 address
secret = "your-shared-secret"
short_name = "NAS-Name"
require_message_integrity = yes
nastype = other
}
```
**Note:** Ensure NAS devices are configured with the same shared secret and IPv4 address.
---
#### **E. TLS/SSL for Secure Communication**
1. **Generate Certificates (self-signed or CA-signed):**
Use `openssl` to create a certificate chain. Store in `/etc/freeradius/3.0/certs/`.
2. **Configure TLS in `radiusd.conf`:**
```ini
tls {
ca_file = "/etc/freeradius/3.0/certs/ca.pem"
cert_file = "/etc/freeradius/3.0/certs/server.pem"
key_file = "/etc/freeradius/3.0/certs/server.key"
dh_file = "/etc/freeradius/3.0/certs/dh2048.pem"
verify_client = yes
}
```
3. **NAS Configuration:**
Ensure NAS devices are configured to use TLS and trust the CA certificate.
---
#### **F. Test the Setup**
1. **Simulate a RADIUS Request:**
```bash
radtest user@example.com password 192.168.1.1 0 your-shared-secret
```
Check `/var/log/freeradius/radius.log` for output.
2. **Use Wireshark:**
Capture IPv4 RADIUS packets (port 1812/1813) to debug.
---
### **5. Security Best Practices**
- **Firewall Rules:** Ensure only trusted NAS devices can communicate with the RADIUS server on ports 1812 (authentication) and 1813 (accounting).
- **Shared Secrets:** Use strong, unique shared secrets for each NAS device.
- **TLS Enforcement:** Require TLS for all RADIUS communication to prevent eavesdropping.
---
### **6. Common Pitfalls**
- **IP Address Mismatch:** Ensure the NAS's IP address in `clients.conf` matches its actual IPv4 address.
- **LDAP Configuration Errors:** Double-check `bind_dn`, `base_dn`, and `filter` settings in the LDAP block.
- **TLS Certificate Issues:** Verify the CA certificate is trusted by the NAS and the certificate chain is complete.
---
### **7. Next Steps for You**
1. **Provision a FreeRADIUS VM** in Proxmox with IPv4 support.
2. **Integrate with AD** using LDAP (test via `ldapsearch`).
3. **Secure TLS** and configure NAS devices.
4. **Monitor logs** and test with real users.
Let me know if you need scripts for LDAP testing, TLS certificate generation, or IPv4 subnet planning! 🚀

0
projects/gg/freeradius/20250725_init.md Normal file
View File

9
projects/ssr/new-employees/anika_zeman.md Normal file
View File

@@ -0,0 +1,9 @@
### Kerio Mail
Benutzerinname: anika.zeman
Vollstaendiger Name: Anika Zeman
Beschreibung: Mitarbeiterin SSR SE
E-Mail Adresse: anika.zeman@studio-stadt-region.de
Passwd: 6dc30aAp7
Gruppen: 'Mitarbeiter', 'Mitarbeiter SE', 'Team', 'Team SE'

23
projects/tu/general/TODO-TUM.md Normal file
View File

@@ -0,0 +1,23 @@
## TODO
### Allgemein
- [ ] herausfinden welche portbeleguneg an den switches am besten ist
- [ ] landing page: unterscheidung zwischen remote.glt.tum.de und gw.glt.tum.de soll klar sein.
- gw.glt.tum.de ist die Sophos FW. html5 vpn-portal verbindet sich mit rdp zu servern??
- remote.glt.tum.de ist die Applikation TSPlus fuer remote Zugriff zu einem bestimmten Server
- [ ] TU: Tobias will extra Mail Postfach fuer GLT. Pruefe Mail Server. LRZ managed.
- [ ] TU: Finde Cental Management Software fuer die Aruba und MicroSense Switches -> lieber ueber Herrn Zach. ->> 20250723 Ich will den Central Zugang haben
- [ ] TU: Abbild der Netzwerkinfrastruktur -> alles zu netbox
### Heute
- [x] TU: Tobias Fragen wegen Meeting naechste Woche. -> neues Netz. PDI und WSI Netz. Nivus kommt und andere.
- [x] TU: CRC: Nextcloud mit Phil und Chat - Mail Adresse der anzulegenden User
- [x] TU: JCI: vCenter keine Anmeldung moeglich.
- [ ] TU: MACmon: Uebertrage zum IPAM was fehlt
- [ ] 12.08 GA Netz Besprechung beim RCM - es soll ja getrennt sein vom glt-gesamt Netz -> Termin steht fest
- Kontakt K&P wegen GLT in RCM: Seidu: 0151 15942096

18
projects/tu/glt-mail/20250724-installation_and_setup.md Normal file
View File

@@ -0,0 +1,18 @@
## Base
### Mail Server
- Hostname: mx
- Domain: ga.tum.de
- Sophos DNS: mx.glt.lan -> 192.157.163.247
### Bind Server (DNS)
- Hostname: dns
- Domain: ga.tum.de
- Sophos DNS: dns.glt.lan -> 192.157.163.246
- -> Authoritative dns server for the domain `ga.tum.de`
**Host entries**:
-

154
projects/tu/glt-mail/dns-server/named.conf.md Normal file
View File

@@ -0,0 +1,154 @@
## Simple
```
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
// include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
acl internal {
10.42.0.0/24;
};
options {
directory "/var/cache/bind";
forwarders {
1.1.1.1;
1.0.0.1;
};
allow-query { internal; };
};
zone "test.softbox.net" IN {
type master;
file "/etc/bind/test-softbox-net.zone";
```
## private
```
#
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";
include "/etc/tsig.key";
# Allow rndc management
#inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "tsig-key"; };
};
# Limit access to local network and homelab LAN
acl "clients" {
127.0.0.0/8;
10.56.0.0/21;
};
options {
forwarders {
fde4:ed21:b2c0:1::254;
10.56.0.254;
};
listen-on port 53 { 127.0.0.1; 10.56.0.3; }; ## MASTER
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
tcp-clients 50;
# Disable built-in server information zones
version none;
hostname none;
server-id none;
recursion yes;
recursive-clients 50;
allow-recursion { clients; };
allow-query { clients; };
allow-transfer { localhost; 10.56.0.4; }; ## SLAVE
auth-nxdomain no;
notify no;
#dnssec-enable yes;
dnssec-validation auto;
#dnssec-lookaside auto;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
# Specifications of what to log, and where the log messages are sent
logging {
channel "common_log" {
file "/var/log/named/named.log" versions 10 size 5m;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default { "common_log"; };
category general { "common_log"; };
category queries { "common_log"; };
category client { "common_log"; };
category security { "common_log"; };
category query-errors { "common_log"; };
category lame-servers { null; };
};
zone "." IN {
type hint;
file "named.ca";
};
# Internal zone definitions
zone "juro-vpn.reliyya.xyz" {
type forward;
forwarders { 10.56.0.254; };
};
zone "reliyya.xyz" {
type master;
file "data/db.reliyya.xyz";
#allow-update { key rndc-key; };
update-policy { grant tsig-key zonesub any; };
notify yes;
};
zone "0.56.10.in-addr.arpa" {
type master;
file "data/db.0.56.10";
#allow-update { key rndc-key; };
update-policy { grant tsig-key zonesub any; };
notify yes;
};
#zone "petarcubela.de" {
# type master;
# file "data/db.petarcubela.de";
# allow-update { key rndc-key; };
# notify yes;
#};
//zone "7.56.10.in-addr.arpa" {
// type master;
// file "data/db.7.56.10";
// allow-update { key rndc-key; };
// notify yes;
//};
[root@dns1 etc]#
```

20
projects/tu/nextcloud/20250724-User.md Normal file
View File

@@ -0,0 +1,20 @@
## Mail an Tobias 11.07.2025
folgende User, die du mir aufgeschrieben hast, sind schon in der Nextcloud hinterlegt und sollten Zugang zum Chat haben:
- Boris Gieb
- Philipp Andres
- Thomas Weiss
- Thoma Chiodi
Folgende sind nicht hinterlegt. Bei diesen braeuchte ich deren E-Mail-Adresse:
- Mike Remig
- Mario Peter
- Michael Scheidneir
- Thomas Holzmueller
- Hubert Netzser
(Kann sein, dass ich einen Namen falsch geschrieben habe. )
Ich werde sie im Anschluss direkt hinterlegen und deren Passwoerter in der Nextcloud internen Passwort-Datenbank hinterlegen.

11
projects/tu/weekly/20250717.md
View File

@@ -1,11 +0,0 @@
## TODO
- [x] wagos devices ip adressen aufschreiben und beschriften
- chemie (neu) Netz
- nextcloud passwoerter hinterlegen
- [ ] herausfinden welche portbeleguneg an den switches am besten ist
- [ ] landing page: unterscheidung zwischen remote.glt.tum.de und gw.glt.tum.de soll klar sein.
- gw.glt.tum.de ist die Sophos FW. html5 vpn-portal verbindet sich mit rdp zu servern??
- remote.glt.tum.de ist die Applikation TSPlus fuer remote Zugriff zu einem bestimmten Server