## Now

- Probably MS Radius Server. -> Network Policy Server on gg-srv-pd-app-01

![[Pasted image 20250727185114.png]]
- eap type: secured peap (proprietary?)
- mschapv2 as second next

## TODO

- [x] ruckus network config
- [x] network config
- [x] Ruckus filter via username (identity + group). If user already connected with one device do not allow other device. Measure time -> next 8 hours device is connected and can not connect with other device
- [x] test authentication with user not being in ldap group
- [ ] Restrict user login to only one device at a time
- [ ] Auto logout after 8h

## Notes

- MS AD makes things complicated
- RADIUS does not get 'good password' from AD which it needs

## Questions

- Which authorization and authentication methods do the iPads use?
- How should the system behave when the same user connects with different devices?
- Do we track the used devices?
- Are rules applied depending on the user or/and on the device?

## Resources 

- [ruckus radius attributes](https://docs.commscope.com/bundle/fastiron-10010-securityguide/page/GUID-15CBE7F1-4898-4311-8A4E-28ED2268BD86.html)
- <https://www.golinuxcloud.com/configure-freeradius-pap-chap-authentication/>
- <https://www.freeradius.org/documentation/freeradius-server/3.2.8/concepts/modules/ldap/authentication.html>
- <https://www.inkbridgenetworks.com/blog/blog-10/how-to-connect-freeradius-to-active-directory-for-authentication-105>
- <https://www.inkbridgenetworks.com/blog/blog-10/can-you-use-freeradius-and-active-directory-together-121>
- <https://cloudinfrastructureservices.co.uk/setup-freeradius-active-directory-authentication-integration/>
- <https://nbailey.ca/post/peap-freeradius/>