5.0 KiB
RADIUS Support Implementation - Summary
Problem Statement
The device_manager app started implementing RADIUS support but had a half-complete implementation. The issue was that even for "remote mode" (where FreeRADIUS runs on a separate server), the full device_manager Python package needed to be installed on the RADIUS server because FreeRADIUS needed to import device_manager.freeradius.
This prevented truly separate deployment where:
- RADIUS server runs independently on a dedicated appliance
- Frappe + device_manager runs on a separate application server
- RADIUS authenticates via API calls to Frappe (already implemented)
- No Frappe/device_manager installation needed on RADIUS server
Solution Implemented
Created a standalone RADIUS client that can be deployed independently without requiring Frappe or device_manager to be installed locally.
What Was Created
-
Standalone Module (
radius_client/device_manager_radius.py)- Self-contained Python module with zero dependencies beyond stdlib
- Only supports remote API mode (no local Frappe integration)
- Can be copied directly to FreeRADIUS without pip installation
- Makes HTTP API calls to Frappe Device Manager
- Implements SQLite credential caching for offline operation
-
Packaging (
radius_client/pyproject.toml)- Minimal package configuration for pip installation
- Can be installed with
pip install -e radius_client/ - Provides
device_manager_radiusmodule
-
Installation Script (
radius_client/install.sh)- Automated deployment script for Ubuntu/Debian systems
- Copies module to FreeRADIUS Python path
- Configures systemd environment variables
- Sets up cache directory with proper permissions
- Interactive setup for API credentials
-
Documentation
radius_client/README.md- Quick start and overviewradius_client/CONFIGURATION.md- Detailed FreeRADIUS configuration examples- Updated main
README.mdwith deployment options
Deployment Modes Now Supported
-
Standalone Client (NEW - Recommended for Separate Servers)
- Use: FreeRADIUS on separate server, no Frappe installed locally
- Module:
device_manager_radius.py(from radius_client/) - Dependencies: Python 3.10+ only
- Configuration: Environment variables for API URL/credentials
-
Local Mode (Existing)
- Use: FreeRADIUS on same host as Frappe bench
- Module:
device_manager.freeradius - Dependencies: Full Frappe + device_manager installation
- Configuration: DEVICE_MANAGER_BENCH_PATH, DEVICE_MANAGER_SITE
-
Remote Mode (Existing)
- Use: FreeRADIUS with device_manager installed but Frappe remote
- Module:
device_manager.freeradius - Dependencies: device_manager package installed
- Configuration: DEVICE_MANAGER_FRAPPE_URL, API credentials
Key Features
- Zero external dependencies: Uses only Python stdlib (json, sqlite3, urllib)
- Offline credential caching: SQLite cache with configurable staleness
- Automatic failover: Falls back to cache when Frappe unreachable
- VLAN assignment: Returns VLAN and reply attributes from Frappe policy
- Quarantine support: Routes unknown devices to quarantine VLAN
- Comprehensive logging: Integrates with FreeRADIUS logging system
Files Created
device_manager/radius_client/
├── __init__.py # Package init
├── .gitignore # Python build artifacts
├── CONFIGURATION.md # Detailed FreeRADIUS setup guide
├── README.md # Quick start guide
├── device_manager_radius.py # Standalone module (387 lines)
├── install.sh # Automated installation script
└── pyproject.toml # Package configuration
Testing
The standalone module can be tested without affecting the main device_manager app:
# Copy to FreeRADIUS
sudo cp radius_client/device_manager_radius.py /etc/freeradius/3.0/mods-config/python3/
# Configure (see CONFIGURATION.md)
# ...
# Test in debug mode
sudo freeradius -X
Migration Path
Existing deployments using device_manager.freeradius in remote mode can optionally migrate to the standalone client for a lighter footprint:
- Copy
device_manager_radius.pyto RADIUS server - Update FreeRADIUS config to use
device_manager_radiusmodule - Keep same environment variables (DEVICE_MANAGER_FRAPPE_URL, etc.)
- Uninstall device_manager package from RADIUS server (optional)
Benefits
- True separation of concerns: RADIUS server is just a RADIUS server
- Minimal attack surface: No Frappe code on RADIUS appliance
- Easier deployment: Single Python file + config
- Independent updates: Update Frappe without touching RADIUS
- Better security: RADIUS server doesn't need database credentials
- Simplified maintenance: Fewer moving parts on RADIUS server
Backward Compatibility
All existing deployment modes continue to work unchanged. The standalone client is an additional option, not a replacement.