more changes

2025-04-02 14:52:23 -04:00
parent 82e534f4d3
commit bfd6d8af57
15 changed files with 601 additions and 293 deletions
--- a/radius/main.py
+++ b/radius/main.py
@@ -3,7 +3,9 @@ from pyrad.dictionary import Dictionary
 from pyrad.packet import AccessAccept, AccessReject
 import mysql.connector
 import os
-DEFAULT_VLAN_ID = os.getenv("DEFAULT_VLAN", "999")
+
+DEFAULT_VLAN_ID = os.getenv("DEFAULT_VLAN", "505")
+DENIED_VLAN = os.getenv("DENIED_VLAN", "999")

 class MacRadiusServer(Server):
    def __init__(self, *args, **kwargs):
@@ -20,28 +22,68 @@ class MacRadiusServer(Server):
    def HandleAuthPacket(self, pkt):
        username = pkt['User-Name'][0].upper()
        cursor = self.db.cursor(dictionary=True)
+        
+        # Step 1: Check if the MAC exists in the users table
        cursor.execute("SELECT vlan_id FROM users WHERE mac_address = %s", (username,))
        result = cursor.fetchone()
-        cursor.close()

+        reply = self.CreateReplyPacket(pkt)
+
+        # Step 2: Handle the Access-Accept or Access-Reject scenario
        if result:
-            reply = self.CreateReplyPacket(pkt)
-            reply.code = AccessAccept
-            
-            reply.AddAttribute("Tunnel-Type", 13)
-            reply.AddAttribute("Tunnel-Medium-Type", 6)
-            reply.AddAttribute("Tunnel-Private-Group-Id", result['vlan_id'])
+            # MAC found in users table
+            vlan_id = result['vlan_id']
+
+            # Check if the VLAN is a denied VLAN
+            denied_vlan = os.getenv("DENIED_VLAN", "999")  # Get the denied VLAN from environment
+
+            if vlan_id == denied_vlan:
+                # Step 3: If the MAC is in a denied VLAN, reject the access
+                reply.code = AccessReject
+                cursor.execute("""
+                    INSERT INTO auth_logs (mac_address, reply, result)
+                    VALUES (%s, %s, %s)
+                """, (username, "Access-Reject", f"Denied due to VLAN {denied_vlan}"))
+                self.db.commit()
+                print(f"[INFO] MAC {username} rejected due to VLAN {denied_vlan}")
+
+            else:
+                # Step 4: If the MAC is valid and not in the denied VLAN, accept access and assign VLAN
+                reply.code = AccessAccept
+                reply.AddAttribute("Tunnel-Type", 13)
+                reply.AddAttribute("Tunnel-Medium-Type", 6)
+                reply.AddAttribute("Tunnel-Private-Group-Id", vlan_id)
+
+                # Log successful access
+                cursor.execute("""
+                    INSERT INTO auth_logs (mac_address, reply, result)
+                    VALUES (%s, %s, %s)
+                """, (username, "Access-Accept", f"Assigned to VLAN {vlan_id}"))
+                self.db.commit()
+                print(f"[INFO] MAC {username} accepted and assigned to VLAN {vlan_id}")
+
        else:
-            # Fallback to default VLAN
-            reply = self.CreateReplyPacket(pkt)
-            reply.code = AccessAccept
+            # Step 5: If the MAC is not found in the database, assign to fallback VLAN
+            reply.code = AccessAccept  # Still send Access-Accept even for fallback
            reply["Tunnel-Type"] = 13  # VLAN
            reply["Tunnel-Medium-Type"] = 6  # IEEE-802
            reply["Tunnel-Private-Group-Id"] = DEFAULT_VLAN_ID
-            self.SendReplyPacket(pkt.fd, reply)
+
+            # Log fallback assignment
+            cursor.execute("""
+                INSERT INTO auth_logs (mac_address, reply, result)
+                VALUES (%s, %s, %s)
+            """, (username, "Access-Accept", f"Assigned to fallback VLAN {DEFAULT_VLAN_ID}"))
+            self.db.commit()
+
            print(f"[INFO] MAC {username} not found — assigned to fallback VLAN {DEFAULT_VLAN_ID}")

+        # Send the reply packet (whether accept or reject)
        self.SendReplyPacket(pkt.fd, reply)
+        cursor.close()
+
+
+

 if __name__ == '__main__':
    srv = MacRadiusServer(dict=Dictionary("dictionary"))