mgrotke/linuxrouter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Development

Browse source
This commit is contained in:
Matthew Grotke 2026-06-04 15:33:41 -04:00
parent 65c5b61ca7
commit c0ba3e76b7
5 changed files with 226 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

67
routlin/core.py
View file

@ -1830,7 +1830,10 @@ RADIUS_SECRET_FILE = SCRIPT_DIR / ".radius-secret"
RADIUS_CLIENTS_CONF = Path("/etc/freeradius/3.0/clients.conf")
RADIUS_USERS_FILE = Path("/etc/freeradius/3.0/users")
RADIUS_CONF_FILE = Path("/etc/freeradius/3.0/radiusd.conf")
RADIUS_EAP_FILE = Path("/etc/freeradius/3.0/mods-available/eap")
RADIUS_HUNTGROUPS = Path("/etc/freeradius/3.0/huntgroups")
RADIUS_LOG_FILE = Path("/var/log/freeradius/radius.log")
RADIUS_HUNTGROUP_NAME = "routlin-aps"
def radius_clients(data):
"""Return list of (reservation, vlan) tuples where radius_client is True."""
@ -1854,6 +1857,8 @@ def ensure_radius_secret():
RADIUS_SECRET_FILE.write_text(secret + "\n")
RADIUS_SECRET_FILE.chmod(0o644)
print(f"Generated RADIUS shared secret: {RADIUS_SECRET_FILE}")
print(f" ACTION REQUIRED: enter this shared secret into your managed switch's RADIUS configuration:")
print(f" {secret}")
return secret
def build_radius_clients_conf(data, secret):
@ -1941,12 +1946,14 @@ def build_radius_users(data):
"",
]
default_id = default_vlan.get('vlan_id')
default_check = (
"DEFAULT NAS-Port-Type = Wireless-802.11, Auth-Type := Accept"
if apply_to == 'wireless'
else "DEFAULT Auth-Type := Accept"
)
default_id = default_vlan.get('vlan_id')
ap_ips = fr_opts.get('ap_ips', [])
if apply_to == 'wireless':
default_check = "DEFAULT NAS-Port-Type = Wireless-802.11, Auth-Type := Accept"
elif apply_to == 'huntgroup' and ap_ips:
default_check = f'DEFAULT Huntgroup-Name == "{RADIUS_HUNTGROUP_NAME}", Auth-Type := Accept'
else:
default_check = "DEFAULT Auth-Type := Accept"
lines += [
f"# Default -- unknown MACs land on VLAN {default_id} ({default_vlan['name']})",
default_check,
@ -1976,6 +1983,50 @@ def _set_freeradius_log(enabled):
return True
def _write_huntgroups(data):
opts = data.get('radius', {}).get('options', {})
apply_to = opts.get('apply_to', 'all')
ap_ips = opts.get('ap_ips', [])
if apply_to != 'huntgroup' or not ap_ips:
return False
lines = [
"# Generated by core.py -- do not edit manually.",
"# Edit config.json and re-run: sudo python3 core.py --apply",
"",
]
for ip in ap_ips:
lines.append(f"{RADIUS_HUNTGROUP_NAME} NAS-IP-Address == {ip}")
content = "\n".join(lines) + "\n"
existing = RADIUS_HUNTGROUPS.read_text() if RADIUS_HUNTGROUPS.exists() else None
if existing == content:
return False
RADIUS_HUNTGROUPS.write_text(content)
print(f"Written: {RADIUS_HUNTGROUPS}")
return True
def _set_freeradius_eap(data):
if not RADIUS_EAP_FILE.exists():
return False
eap_cfg = data.get('radius', {}).get('eap', {})
tunneled_reply = eap_cfg.get('tunneled_reply', False)
allow_weak_eap = eap_cfg.get('allow_weak_eap', False)
import re
content = RADIUS_EAP_FILE.read_text()
updated = content
tr_val = 'yes' if tunneled_reply else 'no'
updated = re.sub(r'(?m)^(\s*use_tunneled_reply\s*=\s*)(yes|no)', rf'\g<1>{tr_val}', updated)
if allow_weak_eap:
updated = re.sub(r'(?m)^(\s*)#(\s*md5\s*\{)', r'\1\2', updated)
else:
updated = re.sub(r'(?m)^(\s*)(md5\s*\{)', r'\1#\2', updated)
if updated == content:
return False
RADIUS_EAP_FILE.write_text(updated)
print(f"EAP: tunneled_reply={tr_val}, allow_weak_eap={allow_weak_eap}")
return True
def apply_radius(data):
"""Write FreeRADIUS config files and restart the service."""
secret = ensure_radius_secret()
@ -1985,7 +2036,9 @@ def apply_radius(data):
logging = data.get('radius', {}).get('general', {}).get('logging', False)
changed = _set_freeradius_log(logging)
changed = _set_freeradius_log(logging)
changed |= _write_huntgroups(data)
changed |= _set_freeradius_eap(data)
for path, content in [(RADIUS_CLIENTS_CONF, clients_content),
(RADIUS_USERS_FILE, users_content)]:
existing = path.read_text() if path.exists() else None