Files
device_manager/radius_client/IMPLEMENTATION_SUMMARY.md
T

5.0 KiB

RADIUS Support Implementation - Summary

Problem Statement

The device_manager app started implementing RADIUS support but had a half-complete implementation. The issue was that even for "remote mode" (where FreeRADIUS runs on a separate server), the full device_manager Python package needed to be installed on the RADIUS server because FreeRADIUS needed to import device_manager.freeradius.

This prevented truly separate deployment where:

  • RADIUS server runs independently on a dedicated appliance
  • Frappe + device_manager runs on a separate application server
  • RADIUS authenticates via API calls to Frappe (already implemented)
  • No Frappe/device_manager installation needed on RADIUS server

Solution Implemented

Created a standalone RADIUS client that can be deployed independently without requiring Frappe or device_manager to be installed locally.

What Was Created

  1. Standalone Module (radius_client/device_manager_radius.py)

    • Self-contained Python module with zero dependencies beyond stdlib
    • Only supports remote API mode (no local Frappe integration)
    • Can be copied directly to FreeRADIUS without pip installation
    • Makes HTTP API calls to Frappe Device Manager
    • Implements SQLite credential caching for offline operation
  2. Packaging (radius_client/pyproject.toml)

    • Minimal package configuration for pip installation
    • Can be installed with pip install -e radius_client/
    • Provides device_manager_radius module
  3. Installation Script (radius_client/install.sh)

    • Automated deployment script for Ubuntu/Debian systems
    • Copies module to FreeRADIUS Python path
    • Configures systemd environment variables
    • Sets up cache directory with proper permissions
    • Interactive setup for API credentials
  4. Documentation

    • radius_client/README.md - Quick start and overview
    • radius_client/CONFIGURATION.md - Detailed FreeRADIUS configuration examples
    • Updated main README.md with deployment options

Deployment Modes Now Supported

  1. Standalone Client (NEW - Recommended for Separate Servers)

    • Use: FreeRADIUS on separate server, no Frappe installed locally
    • Module: device_manager_radius.py (from radius_client/)
    • Dependencies: Python 3.10+ only
    • Configuration: Environment variables for API URL/credentials
  2. Local Mode (Existing)

    • Use: FreeRADIUS on same host as Frappe bench
    • Module: device_manager.freeradius
    • Dependencies: Full Frappe + device_manager installation
    • Configuration: DEVICE_MANAGER_BENCH_PATH, DEVICE_MANAGER_SITE
  3. Remote Mode (Existing)

    • Use: FreeRADIUS with device_manager installed but Frappe remote
    • Module: device_manager.freeradius
    • Dependencies: device_manager package installed
    • Configuration: DEVICE_MANAGER_FRAPPE_URL, API credentials

Key Features

  • Zero external dependencies: Uses only Python stdlib (json, sqlite3, urllib)
  • Offline credential caching: SQLite cache with configurable staleness
  • Automatic failover: Falls back to cache when Frappe unreachable
  • VLAN assignment: Returns VLAN and reply attributes from Frappe policy
  • Quarantine support: Routes unknown devices to quarantine VLAN
  • Comprehensive logging: Integrates with FreeRADIUS logging system

Files Created

device_manager/radius_client/
├── __init__.py                    # Package init
├── .gitignore                     # Python build artifacts
├── CONFIGURATION.md               # Detailed FreeRADIUS setup guide
├── README.md                      # Quick start guide
├── device_manager_radius.py       # Standalone module (387 lines)
├── install.sh                     # Automated installation script
└── pyproject.toml                 # Package configuration

Testing

The standalone module can be tested without affecting the main device_manager app:

# Copy to FreeRADIUS
sudo cp radius_client/device_manager_radius.py /etc/freeradius/3.0/mods-config/python3/

# Configure (see CONFIGURATION.md)
# ...

# Test in debug mode
sudo freeradius -X

Migration Path

Existing deployments using device_manager.freeradius in remote mode can optionally migrate to the standalone client for a lighter footprint:

  1. Copy device_manager_radius.py to RADIUS server
  2. Update FreeRADIUS config to use device_manager_radius module
  3. Keep same environment variables (DEVICE_MANAGER_FRAPPE_URL, etc.)
  4. Uninstall device_manager package from RADIUS server (optional)

Benefits

  1. True separation of concerns: RADIUS server is just a RADIUS server
  2. Minimal attack surface: No Frappe code on RADIUS appliance
  3. Easier deployment: Single Python file + config
  4. Independent updates: Update Frappe without touching RADIUS
  5. Better security: RADIUS server doesn't need database credentials
  6. Simplified maintenance: Fewer moving parts on RADIUS server

Backward Compatibility

All existing deployment modes continue to work unchanged. The standalone client is an additional option, not a replacement.