Files
device_manager/radius_client/IMPLEMENTATION_SUMMARY.md
T

121 lines
5.0 KiB
Markdown

# RADIUS Support Implementation - Summary
## Problem Statement
The device_manager app started implementing RADIUS support but had a half-complete implementation. The issue was that even for "remote mode" (where FreeRADIUS runs on a separate server), the full device_manager Python package needed to be installed on the RADIUS server because FreeRADIUS needed to import `device_manager.freeradius`.
This prevented truly separate deployment where:
- RADIUS server runs independently on a dedicated appliance
- Frappe + device_manager runs on a separate application server
- RADIUS authenticates via API calls to Frappe (already implemented)
- No Frappe/device_manager installation needed on RADIUS server
## Solution Implemented
Created a **standalone RADIUS client** that can be deployed independently without requiring Frappe or device_manager to be installed locally.
### What Was Created
1. **Standalone Module** (`radius_client/device_manager_radius.py`)
- Self-contained Python module with zero dependencies beyond stdlib
- Only supports remote API mode (no local Frappe integration)
- Can be copied directly to FreeRADIUS without pip installation
- Makes HTTP API calls to Frappe Device Manager
- Implements SQLite credential caching for offline operation
2. **Packaging** (`radius_client/pyproject.toml`)
- Minimal package configuration for pip installation
- Can be installed with `pip install -e radius_client/`
- Provides `device_manager_radius` module
3. **Installation Script** (`radius_client/install.sh`)
- Automated deployment script for Ubuntu/Debian systems
- Copies module to FreeRADIUS Python path
- Configures systemd environment variables
- Sets up cache directory with proper permissions
- Interactive setup for API credentials
4. **Documentation**
- `radius_client/README.md` - Quick start and overview
- `radius_client/CONFIGURATION.md` - Detailed FreeRADIUS configuration examples
- Updated main `README.md` with deployment options
### Deployment Modes Now Supported
1. **Standalone Client (NEW - Recommended for Separate Servers)**
- Use: FreeRADIUS on separate server, no Frappe installed locally
- Module: `device_manager_radius.py` (from radius_client/)
- Dependencies: Python 3.10+ only
- Configuration: Environment variables for API URL/credentials
2. **Local Mode (Existing)**
- Use: FreeRADIUS on same host as Frappe bench
- Module: `device_manager.freeradius`
- Dependencies: Full Frappe + device_manager installation
- Configuration: DEVICE_MANAGER_BENCH_PATH, DEVICE_MANAGER_SITE
3. **Remote Mode (Existing)**
- Use: FreeRADIUS with device_manager installed but Frappe remote
- Module: `device_manager.freeradius`
- Dependencies: device_manager package installed
- Configuration: DEVICE_MANAGER_FRAPPE_URL, API credentials
### Key Features
- **Zero external dependencies**: Uses only Python stdlib (json, sqlite3, urllib)
- **Offline credential caching**: SQLite cache with configurable staleness
- **Automatic failover**: Falls back to cache when Frappe unreachable
- **VLAN assignment**: Returns VLAN and reply attributes from Frappe policy
- **Quarantine support**: Routes unknown devices to quarantine VLAN
- **Comprehensive logging**: Integrates with FreeRADIUS logging system
### Files Created
```
device_manager/radius_client/
├── __init__.py # Package init
├── .gitignore # Python build artifacts
├── CONFIGURATION.md # Detailed FreeRADIUS setup guide
├── README.md # Quick start guide
├── device_manager_radius.py # Standalone module (387 lines)
├── install.sh # Automated installation script
└── pyproject.toml # Package configuration
```
### Testing
The standalone module can be tested without affecting the main device_manager app:
```bash
# Copy to FreeRADIUS
sudo cp radius_client/device_manager_radius.py /etc/freeradius/3.0/mods-config/python3/
# Configure (see CONFIGURATION.md)
# ...
# Test in debug mode
sudo freeradius -X
```
### Migration Path
Existing deployments using `device_manager.freeradius` in remote mode can optionally migrate to the standalone client for a lighter footprint:
1. Copy `device_manager_radius.py` to RADIUS server
2. Update FreeRADIUS config to use `device_manager_radius` module
3. Keep same environment variables (DEVICE_MANAGER_FRAPPE_URL, etc.)
4. Uninstall device_manager package from RADIUS server (optional)
## Benefits
1. **True separation of concerns**: RADIUS server is just a RADIUS server
2. **Minimal attack surface**: No Frappe code on RADIUS appliance
3. **Easier deployment**: Single Python file + config
4. **Independent updates**: Update Frappe without touching RADIUS
5. **Better security**: RADIUS server doesn't need database credentials
6. **Simplified maintenance**: Fewer moving parts on RADIUS server
## Backward Compatibility
All existing deployment modes continue to work unchanged. The standalone client is an additional option, not a replacement.