From 4f5f2a80714b89f65e9fea95b4804bc61e5ced65 Mon Sep 17 00:00:00 2001 From: Matthew Grotke Date: Mon, 1 Jun 2026 12:58:06 -0400 Subject: [PATCH] Development --- .../routlin-dash/app/pages/radius/action.py | 34 +++++++++- .../app/pages/radius/content.json | 62 +++++++++++++++++++ docker/routlin-dash/app/view_page.py | 4 ++ routlin/config.json | 7 ++- routlin/core.py | 59 ++++++++++++++++-- 5 files changed, 157 insertions(+), 9 deletions(-) diff --git a/docker/routlin-dash/app/pages/radius/action.py b/docker/routlin-dash/app/pages/radius/action.py index f0ddc39..da695bb 100644 --- a/docker/routlin-dash/app/pages/radius/action.py +++ b/docker/routlin-dash/app/pages/radius/action.py @@ -1,7 +1,8 @@ +import copy from pathlib import Path -from flask import Blueprint, redirect, flash +from flask import Blueprint, request, redirect, flash from auth import require_level -from config_utils import CONFIGS_DIR +from config_utils import CONFIGS_DIR, load_config, record_group, diff_fields _PAGE = Path(__file__).parent.name @@ -9,6 +10,11 @@ bp = Blueprint(_PAGE, __name__) RADIUS_SECRET_FILE = Path(CONFIGS_DIR) / '.radius-secret' +_VALID_MAC_FORMATS = { + 'aabbccddeeff', 'aa-bb-cc-dd-ee-ff', 'aa:bb:cc:dd:ee:ff', + 'AABBCCDDEEFF', 'AA-BB-CC-DD-EE-FF', 'AA:BB:CC:DD:EE:FF', +} + @bp.route('/action/radius/regenerate', methods=['POST']) @require_level('administrator') @@ -20,3 +26,27 @@ def regenerate(): return redirect(f'/{_PAGE}') flash('Secret deleted. A new secret will be generated when the pending command is applied.', 'success') return redirect(f'/{_PAGE}') + + +@bp.route('/action/radius/options_save', methods=['POST']) +@require_level('administrator') +def options_save(): + mac_format = request.form.get('mac_format', 'aabbccddeeff') + apply_to = request.form.get('apply_to', 'all') + logging = 'logging' in request.form + + if mac_format not in _VALID_MAC_FORMATS: + flash('Invalid MAC format.', 'error') + return redirect(f'/{_PAGE}') + if apply_to not in ('all', 'wireless'): + flash('Invalid apply_to value.', 'error') + return redirect(f'/{_PAGE}') + + cfg = load_config() + before = copy.deepcopy(cfg.get('radius_options', {})) + after = {'mac_format': mac_format, 'apply_to': apply_to, 'logging': logging} + cfg['radius_options'] = after + + changes = diff_fields(before, after) + flash(record_group(cfg, 'radius_options', 'setting', 'radius_options', changes, 'core apply'), 'success') + return redirect(f'/{_PAGE}') diff --git a/docker/routlin-dash/app/pages/radius/content.json b/docker/routlin-dash/app/pages/radius/content.json index 6bcc46d..340e212 100644 --- a/docker/routlin-dash/app/pages/radius/content.json +++ b/docker/routlin-dash/app/pages/radius/content.json @@ -43,6 +43,68 @@ ] } ] + }, + { + "type": "card", + "label": "Options", + "client_requirement": "client_is_administrator+", + "items": [ + { + "type": "form", + "action": "/action/radius/options_save", + "method": "post", + "items": [ + { + "type": "field", + "label": "MAC Address Format", + "name": "mac_format", + "input_type": "select", + "value": "%RADIUS_MAC_FORMAT%", + "options": [ + {"value": "aabbccddeeff", "label": "aabbccddeeff"}, + {"value": "aa-bb-cc-dd-ee-ff", "label": "aa-bb-cc-dd-ee-ff"}, + {"value": "aa:bb:cc:dd:ee:ff", "label": "aa:bb:cc:dd:ee:ff"}, + {"value": "AABBCCDDEEFF", "label": "AABBCCDDEEFF"}, + {"value": "AA-BB-CC-DD-EE-FF", "label": "AA-BB-CC-DD-EE-FF"}, + {"value": "AA:BB:CC:DD:EE:FF", "label": "AA:BB:CC:DD:EE:FF"} + ], + "hint": "Format used in the FreeRADIUS users file. Must match your AP/controller's expected format." + }, + { + "type": "field", + "label": "Apply DEFAULT Rule To", + "name": "apply_to", + "input_type": "select", + "value": "%RADIUS_APPLY_TO%", + "options": [ + {"value": "all", "label": "All clients"}, + {"value": "wireless", "label": "Wireless clients only (NAS-Port-Type = Wireless-802.11)"} + ], + "hint": "Scoping to wireless only prevents the DEFAULT rule from assigning a VLAN to unknown wired switch ports." + }, + { + "type": "field", + "label": "Auth Logging", + "name": "logging", + "input_type": "checkbox", + "checkbox_label": "Log auth requests", + "value": "%RADIUS_LOGGING%", + "hint": "Enables auth logging in radiusd.conf (auth, auth_accept, auth_reject). High volume on busy networks." + }, + { + "type": "button_row", + "items": [ + { + "type": "button_primary", + "action": "/action/radius/options_save", + "method": "post", + "text": "Save" + } + ] + } + ] + } + ] } ] } diff --git a/docker/routlin-dash/app/view_page.py b/docker/routlin-dash/app/view_page.py index fecd8f3..2f3ce49 100644 --- a/docker/routlin-dash/app/view_page.py +++ b/docker/routlin-dash/app/view_page.py @@ -819,6 +819,10 @@ def collect_tokens(): tokens['RADIUS_SECRET'] = open(f'{CONFIGS_DIR}/.radius-secret').read().strip() except OSError: tokens['RADIUS_SECRET'] = '(Generation is pending - visit Actions to apply generation command)' + _radius_opts = cfg.get('radius_options', {}) + tokens['RADIUS_MAC_FORMAT'] = _radius_opts.get('mac_format', 'aabbccddeeff') + tokens['RADIUS_APPLY_TO'] = _radius_opts.get('apply_to', 'all') + tokens['RADIUS_LOGGING'] = 'true' if _radius_opts.get('logging', False) else '' tokens['STAT_BANNED_IP_COUNT'] = str(sum(1 for b in cfg.get('banned_ips', []) if b.get('enabled', True))) tokens['STAT_BLOCKLIST_COUNT'] = str(len(cfg.get('dns_blocking', {}).get('blocklists', []))) tokens['BLOCKLIST_STATS_HTML'] = _blocklist_stats_html(cfg) diff --git a/routlin/config.json b/routlin/config.json index 1013ead..8b5079d 100644 --- a/routlin/config.json +++ b/routlin/config.json @@ -828,5 +828,10 @@ "redirect_to": "192.168.40.1", "vlan": "vpn" } - ] + ], + "radius_options": { + "mac_format": "aabbccddeeff", + "apply_to": "all", + "logging": false + } } \ No newline at end of file diff --git a/routlin/core.py b/routlin/core.py index e24b8dc..7af8d7b 100644 --- a/routlin/core.py +++ b/routlin/core.py @@ -1825,6 +1825,8 @@ def remove_nat_service(): RADIUS_SECRET_FILE = SCRIPT_DIR / ".radius-secret" RADIUS_CLIENTS_CONF = Path("/etc/freeradius/3.0/clients.conf") RADIUS_USERS_FILE = Path("/etc/freeradius/3.0/users") +RADIUS_CONF_FILE = Path("/etc/freeradius/3.0/radiusd.conf") +RADIUS_LOG_FILE = Path("/var/log/freeradius/radius.log") def radius_clients(data): """Return list of (reservation, vlan) tuples where radius_client is True.""" @@ -1877,12 +1879,26 @@ def build_radius_clients_conf(data, secret): ] return "\n".join(lines) +def _fmt_mac(raw, fmt): + c = raw.replace(':', '').replace('-', '').lower() + pairs = [c[i:i+2] for i in range(0, 12, 2)] + upper = fmt[0].isupper() + if fmt in ('aabbccddeeff', 'AABBCCDDEEFF'): + sep = '' + elif fmt in ('aa-bb-cc-dd-ee-ff', 'AA-BB-CC-DD-EE-FF'): + sep = '-' + else: + sep = ':' + joined = sep.join(pairs) + return joined.upper() if upper else joined + + def build_radius_users(data): """ Generate freeradius users file. Each MAC reservation across all VLANs gets an entry mapping it to its VLAN ID. Unknown MACs fall through to DEFAULT which returns the radius_default VLAN. - MACs are formatted without colons (FreeRADIUS MAB format). + MAC format and DEFAULT rule scope are read from radius_options in config. """ default_vlan = next( (v for v in data["vlans"] if v.get("radius_default") is True), None @@ -1890,6 +1906,10 @@ def build_radius_users(data): if default_vlan is None: die("No VLAN has radius_default: true. Cannot generate RADIUS users file.") + opts = data.get('radius_options', {}) + mac_fmt = opts.get('mac_format', 'aabbccddeeff') + apply_to = opts.get('apply_to', 'all') + lines = [ "# Generated by core.py -- do not edit manually.", "# Edit config.json and re-run: sudo python3 core.py --apply", @@ -1900,12 +1920,13 @@ def build_radius_users(data): for r in data.get("dhcp_reservations", []): if r.get("enabled") is not True: continue - mac = r.get("mac", "").replace(":", "").lower() - if not mac: + raw_mac = r.get("mac", "") + if not raw_mac: continue vlan = vlan_by_name.get(r.get("vlan", "")) if not vlan: continue + mac = _fmt_mac(raw_mac, mac_fmt) vlan_id = vlan.get('vlan_id') lines += [ f"# {r['description']} -> VLAN {vlan_id} ({vlan['name']})", @@ -1916,10 +1937,15 @@ def build_radius_users(data): "", ] - default_id = default_vlan.get('vlan_id') + default_id = default_vlan.get('vlan_id') + default_check = ( + "DEFAULT NAS-Port-Type = Wireless-802.11, Auth-Type := Accept" + if apply_to == 'wireless' + else "DEFAULT Auth-Type := Accept" + ) lines += [ f"# Default -- unknown MACs land on VLAN {default_id} ({default_vlan['name']})", - "DEFAULT Auth-Type := Accept", + default_check, f" Tunnel-Type = VLAN,", f" Tunnel-Medium-Type = IEEE-802,", f" Tunnel-Private-Group-Id = \"{default_id}\"", @@ -1928,6 +1954,24 @@ def build_radius_users(data): return "\n".join(lines) +def _set_freeradius_log(enabled): + """Enable or disable auth logging lines in radiusd.conf.""" + if not RADIUS_CONF_FILE.exists(): + return False + import re + value = 'yes' if enabled else 'no' + content = RADIUS_CONF_FILE.read_text() + updated = re.sub(r'(?m)^(\s*auth\s*=\s*)(yes|no)', rf'\g<1>{value}', content) + updated = re.sub(r'(?m)^(\s*auth_accept\s*=\s*)(yes|no)', rf'\g<1>{value}', updated) + updated = re.sub(r'(?m)^(\s*auth_reject\s*=\s*)(yes|no)', rf'\g<1>{value}', updated) + if updated == content: + print(f"radiusd.conf: auth logging already {'enabled' if enabled else 'disabled'}.") + return False + RADIUS_CONF_FILE.write_text(updated) + print(f"radiusd.conf: auth logging {'enabled' if enabled else 'disabled'}.") + return True + + def apply_radius(data): """Write FreeRADIUS config files and restart the service.""" secret = ensure_radius_secret() @@ -1935,7 +1979,10 @@ def apply_radius(data): clients_content = build_radius_clients_conf(data, secret) users_content = build_radius_users(data) - changed = False + opts = data.get('radius_options', {}) + logging = opts.get('logging', False) + + changed = _set_freeradius_log(logging) for path, content in [(RADIUS_CLIENTS_CONF, clients_content), (RADIUS_USERS_FILE, users_content)]: existing = path.read_text() if path.exists() else None