openwisp / django-freeradius Goto Github PK

This feature should drop out the duplicate admin filter I done but... Yes it should.
We could improve AbstractRadiusCheckManager adding a check into create() overridden method.

If freeradius have duplicate username it will authenticate the session according to the oldest account.
The last inserted, with different password value, will be ignored.

This could also introduce a workaround into radiucheck query in freeradius sql dialect file but I think that it could be better avoid the creation on duplicates if you agree with me.

these lines:

id = models.UUIDField(primary_key=True, db_column='id')

can be put in a shared abstract model which all the other models subclass.

I would like to improve the current AccountingView so that only 1 SQL query is executed for each HTTP request, with a fallback query that is executed in case the first query fails.

To emulate the classical behaviour of the freeradius SQL module there are 3 cases to cover, each case has a fallback option, totalling 6 different cases to implement (and cover in automated tests):

• accounting start (SQL insert) / fallback (SQL update if session is already present)
• accounting update (SQL update) / fallback (SQL insert if session is not present)
• accounting stop (SQL update) / fallback (SQL insert if session is not present)

MySQL and Postgres should only be loaded when used.
Travis configuration must be changed accordingly

In OpenWISP 1 we have implemented a few scripts that perform cleaning operations, we could implement these operation as management commands, eg:

• ./manage.py delete_old_radacct <numbe_of_days> would delete sessions older than <numbe_of_days>

In https://github.com/openwisp/django-freeradius/blob/master/docs/source/general/freeradius.rst we deal with installing and configuring freeradius with both a sql backend and a rest backend but we don't specify which is needed for development only.

As an example #75 had problems that deals with configuring freeradius and can't move on to more interesting work.

I suggest we begin with named sections and specify which are needed for development purpose only.

RadiusCheck new entries doesn't show value password field, actually this must be done after its creation, in modify page.

@yakky posed a couple of good questions, a third was then posed to myself:

1. what happens if an accounting with 'Acct-Status-Type'= 'Start' is sent but an accounting with same Acct-Unique-Session-Id already exists? has been addressed in #45 and will be optimized in #49
2. what happens if an accounting with 'Acct-Status-Type'= 'Interim-Update' is sent but the accounting does not exist? has been addressed in #45 and will be optimized in #49
3. (added by myself) what happens if an accounting is never stopped? It happened to us at @Cineca a few times in the past and my colleage @dariomas told me they solved it with a script

Some of these points may become separate issues in the near future. Acting now without full understanding and a real world instance may be premature, but is better to start thinking about if it's worth to try to solve these problems within the application itself and if yes how and if these automation can be turned off in case of need.

In OpenWISP 1 we have implemented a few scripts that perform cleaning operations, we could implement these operation as management commands, eg:

• ./manage.py delete_old_postauth <numbe_of_days> would delete postauth logs older than <numbe_of_days>

As discussed, we want to make it easy for those users who are already using freeradius 3 to start using django-freeradius.

To accomplish this we should proceed as follows:

1. first of all, we have to ensure our models reflect the default freeradius schema very closely
2. the first django migration should be dedicated to the default freeradius schema
3. every modification and addition to the default schema, must be done in subsequent migrations, starting from 0002
4. we then need to document how to skip the first migration in case users want to use django-freeradius on an existing freeradius 3 database

We should eliminate some redundant information from the README and link the documentation.

@lillopaco you can maybe take some inspiration from the README of netjsonconfig.

Refer to openwisp-utils and import the code which is being duplicated here from there.

As discussed, let's add a way to store radius accounting sessions via the RESTful API.

This feature should be added after #3 which should be easier to implement.

It would be awesome to test multiple user accounts by selecting them and then run the action!
radtest or eapol_test could be selected according to the RADCHECK_PASSWD_TYPE attribute

Add a ForeignKey from RadiusAccounting to settings.AUTH_MODEL which can be NULL.

We should add a mechanism through which the ForeignKey is automatically filled if the accounting is related to an user which is present in the database (if the user is not present in the database the foreign key will be left NULL, this is needed to support use cases which involve managing a freeradius proxy which forwards the authentication to different radius servers).

We can add a possibilty to manage disabled users.
A standard way to have disabled users is to use a group in radgroupcheck table.
Here you can see an example
We can decide to have a simple checkbox in the users page like "Disabled" or we can improve a simple method to add users to one or more groups.
I prefer the last one.

Implement a "batch add users" feature:

• each batch operation and its details must be saved to the database
• from each batch operation it must be possible to retrieve all the created username and password combinations
• deleting a batch operation should delete all the users created with it
• accounts created via batch operations may have an expiration date after which their account is no longer able to authenticate (this will probably require to introduce a few changes in the model)
• it would be very useful to add a way to generate a PDF with badges containing username and passwords generated in the batch operation - we can do a first basic version of this feature if we have time

• add radius related models
• add admin interface to manipulate database objects
• add tests for basic features of models
• add tests for basic features of admin (eg: open list page of each model)
• ensure database structure works with freeradius

Moved out of this issue

• add references to the User model using settings.AUTH_USER_MODEL which should default to auth.User- see also https://docs.djangoproject.com/en/1.11/topics/auth/customizing/ Moved to #17
• iterate to remove duplication of database fields when possible Moved to #18

Document how to configure freeradius so that it can work with django-freeradius.

The documentation can be written in ReStructuredText format in the README.rst file present in this repository.

Output of freeradius -X when trying a dummy authentication, eg: radtest admin admin localhost 10 testing123.

(5) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())
(5) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('admin', 'admin', 'Access-Reject', NOW())
(5) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('admin', 'admin', 'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_FATAL_ERROR
rlm_sql_postgresql: 23502: NOT NULL VIOLATION
(5) sql: rlm_sql_postgresql: ERROR:  null value in column "created" violates not-null constraint

In this case I think the best option is to keep the default postauth table as close as possible to what the default freeradius configuration expects.

Make the models added in #1 reusable by third-party apps by creating base models which have abstract = True in their Meta.

The work to be done in this issue is very similar to what has been done in openwisp/django-netjsongraph#26.

Hi guys,

It appears that the package on pypi has at least one empty module (my colleague reckons there were some others as well):

i.e. lib/python3.5/site-packages/django_freeradius/urls.py is just a blank file.

Importing it into Django, as per the basic instructions, results in the error:

django.core.exceptions.ImproperlyConfigured: 
The included URLconf  '<module 'django_freeradius.urls' from '/home/richard/.virtualenvs/panos-rest/lib/python3.5/site-packages/django_freeradius/urls.py'>' does not appear to have any patterns in it. 
If you see valid patterns in the file then the issue is probably caused by a circular import.

Installing the package from https://github.com/openwisp/django-freeradius/tarball/master however, everything works as expected and results in the module having the expected lines:

from django.conf.urls import include, url

from .api import urls as api

urlpatterns = [
    url(r'^api/', include(api)),
]

General refactoring / normalization of existing models.
Consistency with freeradius standard tables must be taken into account

From #1

In the nas add page we can add a list of nas type on the right of the input box.
A free input box will remain, user can decide to write a nas type or choose one from the list.
I think it would be help.
What do you think @nemesisdesign ?

Hi guys,

I'm wondering has anyone given thought to, or is it within the scope of the projects goals, to add the respective encryption algorithms for the radcheck passwords and an option to encrypt from the admin panel?

I'm going to have to do this myself anyway, for at least one algorithm, so would be happy to contribute if this is something that is welcomed.

Edit: To clarify, I mean to add an extra field + button to populate the value field with the encrypted password, as seen below:

Configure travis-ci build to run tests both on mysql and postgresql

This is a reminder for myself, I need to complete the Motivations & Goals page before the first release is issued.

We have to mainly 2 things:

• add a way (or establish what's the best way using the current available SQL tables) to define limits to the session of the users
• enforce these limits in the authorize section of freeradius

More specifically, we need to be able to replicate at least two features of OpenWISP User Management System:

• daily bandwidth counter
• daily session limit

We still need to understand in practice what's the best way to implement this feature.

What's the best and simplest way to limit who can use the API?

Initially I thought about allowing specific ip ranges but then I thought maybe using some sort of token authentication may be good too.

PS: we should choose a solution which is also simple to automate via ansible

Move data in the README to the documentation, eg:

• Setup & Install
  • Install stable version from pypi
  • Install development version
  • Setup (integrate in an existing django project)
  • Installing for development
• Contributing

I have ubuntu 16.04.3 with last updates
I installed freeradius from site and repository (on first VM from sources and second from repository)
And there no directory mods-available (so there no with file sql)
But I found a very similar file called sql.conf except dialect value (there no this parametr)

What is wrong or its update of freeradius and we shoud update documentation?

In RadiusGroupUsersAdmin We also need a "search and autocomplete" widget on m2m radiuscheck entries. Actually a user should scroll by hand and then select the desidered accounts holding CTRL key, this is not so easy for thousands of accounts :)

According to this I'm proposing to introduce this dependency in django-freeradius
django-autocomplete-light

I already developed using it in Django Admin backed, this should not be a problem for me.
Let me know if it sounds useful to you too :)

Implement a RESTful API through which authorized users will be able to retrieve radius sessions, this API must be implemented using django REST framework.

Other API endpoints (for other models) may be added if there's time.

Add references to the User model using settings.AUTH_USER_MODEL which should default to auth.User- see also https://docs.djangoproject.com/en/1.11/topics/auth/customizing/

From #1

Allow filtering for these fields:

• username filter for a specific username
• called_station_id
• calling_station_id
• start_time: look for sessions started in a specific date (in YYYY-MM-DD format)
• stop_time: look for sessions finished in a specific date (in YYYY-MM-DD format)
• open: this is not a database field but a boolean filter that looks for sessions which have stop_time == None

I suggest to use this kind of implementation: http://www.django-rest-framework.org/api-guide/filtering/#djangofilterbackend

Coova chilli sends an accounting start request which doesn't include the following fields:

• output_octets
• input_octets
• session_time

We should allow these fields to be missing if the request is of type start and default to 0.

Refer to https://github.com/openwisp/openwisp-utils and add the uniform admin theme of openwisp to this project as well.

Update django-rest-framework dependency to 3.7.

The new abstract models must be documented, with special care with hot to extend them as it's quite tricky

By using setup.cfg it's possible to configure flake8 / isort for more consistent results.

Eg:

priority = models.IntegerField(verbose_name=_('priority'), default=1, db_column='priority')

The attribute is named priority and also has a db_column='priority' argument.

This redundancy is slowing me down in trying to read and understand the code.

I propose to avoid it when db_column is equal to the model field.

As proposed in the OpenWISP Mailing List, in order to overcome the hashing algorithm problem, we can configure freeradius to use a RESTful API.

We should therefore add an API URL that is dedicated to perform freeradius authorization (and maybe also authenticaiton? @yakky we need to investigate this).

Consider the following requirements when developing this feature:

• use the latest django rest framework version available
• you could try to wrap the login view provided by django
• remember to adapt the JSON response to the format freeradius expects, you may need to dig around online forums and mailing lists to understand the correct format, eg: http://freeradius.1045715.n5.nabble.com/JSON-format-to-use-for-rlm-rest-td5725769.html

(note: lower priority)

After merging #28 the default postauth query works, but I've noticed the default query logs the password of the user, which in case of a successful attempt effectively defeats the point explained in the hashing algorithm proposal I sent yesterday on the OpenWISP Mailing list.

Possible solutions:

• add a note in the documentation which suggests to disable the postauth query entirely
• add a note in the documentation which suggests a postauth query that doesn't log the password - this would require to to edit the postauth model and make the password field not required

Let's proceed as follows:

• allow the password field to be blank
• add an API method called postauth
• for successful authentications, do not store passwords
• for failed authentications, store everything

Getting the following error:

(1) sql: rlm_sql_postgresql: ERROR:  column "acctupdatetime" of relation "radacct" does not exist

When trying simulating an accounting request with radclient.

The radacct table is missing the acctupdatetime column.

When I installed django freeradius, I saw that some staps are missing in the documentation. I follow this tutorial, http://django-freeradius.readthedocs.io/en/latest/general/freeradius.html, for the installation of freeradius on a virtual machine with debian. Among installation requirements of sql there is also python_ mysql.db . After do that for the configuration with postgresql, It's necessary to install and import the schema.sql in postgres. There isn't any tutorial for this.

@nemesisdesign

In OpenWISP1 we have an index for called-station-id in radacct which helps us to retrieve sessions performed from a specific access point faster.

We also need to add an index to calling-station-id which will speed up filtering accounting for specific client devices.

We need to do this after #41 is completed.

We need to limit the results when viewing Accounting records, something like:
http://www.django-rest-framework.org/api-guide/pagination/#limitoffsetpagination

But which doesn't alter the structure of the JSON response.

The model RadiusGroup has two additional fields:

• creation_date
• modification_date

which seem to be redundant with created and modified.

@lillopaco could you find out if we can use the usual created and modified fields which we have for every model and remove those two fields?