Development

routlin/mod_radius.py

@@ -248,26 +248,27 @@ def toggle_freeradius_block(content, block_name, enable):
 
 
 def set_freeradius_eap(data):
-    """Patch EAP config for tunneled_reply and allow_weak_eap settings.
+    """Patch EAP config for eap_protocol and tunneled_reply settings.
     Returns True if the file was modified, False if unchanged or not found.
     """
     if not RADIUS_EAP_FILE.exists():
         return False
-    eap_cfg        = data.get('radius', {}).get('eap', {})
-    tunneled_reply = eap_cfg.get('tunneled_reply', False)
-    allow_weak_eap = eap_cfg.get('allow_weak_eap', False)
+    opts           = data.get('radius', {}).get('options', {})
+    eap_protocol   = opts.get('eap_protocol', 'eap_peap')
+    tunneled_reply = opts.get('tunneled_reply', False)
+    use_md5        = eap_protocol == 'eap_md5'
+    eap_type       = {'eap_peap': 'peap', 'eap_ttls': 'ttls', 'eap_md5': 'md5'}.get(eap_protocol, 'peap')
     content  = RADIUS_EAP_FILE.read_text()
     tr_val   = 'yes' if tunneled_reply else 'no'
-    eap_type = 'md5' if allow_weak_eap else 'peap'
     content2 = re.sub(r'(?m)^(\s*use_tunneled_reply\s*=\s*)(yes|no)', rf'\g<1>{tr_val}', content)
     # Only replace the first occurrence -- that is the outer eap{} block's default.
     # Inner blocks (e.g. peap's tunneled default) must not be touched.
     content3 = re.sub(r'(?m)^(\s*default_eap_type\s*=\s*)\w+', rf'\g<1>{eap_type}', content2, count=1)
-    content4 = toggle_freeradius_block(content3, 'md5', allow_weak_eap)
+    content4 = toggle_freeradius_block(content3, 'md5', use_md5)
     if content4 == content:
         return False
     RADIUS_EAP_FILE.write_text(content4)
-    print(f"EAP: default_eap_type={eap_type}, tunneled_reply={tr_val}, allow_weak_eap={allow_weak_eap}")
+    print(f"EAP: default_eap_type={eap_type}, tunneled_reply={tr_val}")
     return True