Modern RADIUS proxy with integrated admin portal, multi-factor authentication, and enterprise identity provider support.
- RADIUS Proxy: High-performance RADIUS authentication proxy
- Multi-Backend Support: LDAP, Active Directory, SAML 2.0 SSO
- Admin Portal: Modern web interface for user and system management
- RESTful API: Complete API for automation and integration
- β
Multi-Factor Authentication (MFA)
- TOTP/Authenticator Apps
- WebAuthn (Security Keys, Biometrics)
- SMS (via gateway integration)
- β
SAML 2.0 Single Sign-On
- SP metadata generation
- IdP integration
- Attribute mapping
- β
LDAP/Active Directory Integration
- Secure binds
- User search and authentication
- Group membership validation
- User Management: Create, edit, delete admin users
- MFA Credential Management: View and revoke user security keys
- Audit Logs: Complete system activity tracking
- System Monitor: Real-time metrics and health status
- API Token Management: Generate and manage API access tokens
- Python: 3.8 or higher
- Operating System: Linux (Ubuntu/Debian recommended) or WSL2
- Database: SQLite (included)
- Optional:
- LDAP/AD server for directory integration
- SAML IdP for SSO
- SMS gateway for SMS MFA
git clone https://github.com/tsautier/RoXX.git
cd RoXX
# Create virtual environment
python3 -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txtpython3 -m roxx.web.appThe admin portal will start on http://localhost:8000
Default credentials:
- Username:
admin - Password:
admin(change immediately!)
Configuration files are located in:
- Linux:
/etc/roxx/ - Development:
~/.roxx/
Key files:
roxx.db- Main SQLite databasewebauthn.db- WebAuthn credentialsmfa.db- MFA configuration
- Navigate to
http://localhost:8000 - Login with default credentials
- Change your password under User Settings
- Go to Settings β MFA Settings
- Choose your method:
- TOTP: Scan QR code with authenticator app
- WebAuthn: Register security key or biometric device
- Complete setup and test login
- Go to Config β Authentication Providers
- Click + Add Provider
- Select SAML 2.0
- Fill in:
- Name: e.g., "Corporate SSO"
- IdP Entity ID: Your IdP's entity ID
- IdP SSO URL: Your IdP's SSO endpoint
- IdP Certificate: x509 certificate from IdP metadata
- Configure your IdP with:
- Metadata URL:
https://your-domain.com/auth/saml/metadata/{provider_id} - ACS URL:
https://your-domain.com/auth/saml/acs/{provider_id}
- Metadata URL:
- Go to Config β Authentication Providers
- Click + Add Provider
- Select LDAP / Active Directory
- Configure:
- Server URL:
ldap://dc.example.com:389 - Base DN:
dc=example,dc=com - Bind DN: Service account DN
- Bind Password: Service account password
- Server URL:
All API requests require authentication via session cookie or API token.
GET /api/admins - List all admin users
POST /api/admins - Create new admin user
GET /api/admins/{username} - Get user details
DELETE /api/admins/{username} - Delete user
GET /api/admins/{username}/mfa/status - Get MFA status
GET /api/admins/{username}/mfa/credentials - List WebAuthn credentials
DELETE /api/admins/{username}/mfa/webauthn/{id} - Delete security key
POST /api/admins/{username}/mfa/totp/reset - Reset TOTP
GET /api/auth-providers - List providers
POST /api/auth-providers - Create provider
DELETE /api/auth-providers/{id} - Delete provider
curl -X POST http://localhost:8000/api/admins \
-H "Content-Type: application/json" \
-d '{
"username": "john",
"password": "SecurePass123!",
"email": "john@example.com"
}'- Change Default Password: Immediately change the default admin password
- Enable MFA: Require MFA for all admin users
- Use HTTPS: Deploy with proper SSL/TLS certificates
- Regular Updates: Keep dependencies up to date
- Audit Logs: Regularly review system audit logs
- API Tokens: Use API tokens instead of passwords for automation
- Network Security: Restrict admin portal access to trusted networks
# Application
ROXX_HOST=0.0.0.0
ROXX_PORT=8000
ROXX_DEBUG=false
# Database
ROXX_DB_PATH=/etc/roxx/roxx.db
# Security
ROXX_SECRET_KEY=your-secret-key-here
ROXX_SESSION_TIMEOUT=3600
# SAML
ROXX_SAML_SP_ENTITY_ID=https://your-domain.comPlace certificates in /etc/roxx/ssl/:
cert.pem- SSL certificatekey.pem- Private key
The application will automatically use HTTPS if certificates are present.
Access the dashboard at /dashboard for:
- CPU utilization
- Memory usage
- Disk space
- Active sessions
- Recent authentication events
View comprehensive logs at /logs:
- User logins
- MFA events
- Configuration changes
- API requests
- SAML/LDAP authentication attempts
WebAuthn Not Working
- Ensure using HTTPS or
localhost - Check browser compatibility (Chrome/Edge/Firefox/Safari recommended)
- Verify WebAuthn credentials in browser dev tools
SAML Login Fails
- Verify IdP certificate is correct
- Check SP Entity ID matches IdP configuration
- Review logs at
/config/auth-providers/logs - Ensure SP metadata uploaded to IdP
LDAP Connection Issues
- Verify network connectivity to LDAP server
- Check bind DN and password
- Test with
ldapsearchcommand - Review firewall rules
Enable debug logging:
export ROXX_DEBUG=true
python3 -m roxx.web.app- User Guide: See
/docs/user-guide.md - API Reference: See
/docs/api-reference.md - SAML Setup: See
/docs/saml-setup.md - LDAP/AD Setup: See
/docs/ldap-setup.md
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Author: Thomas Sautier (tsautier@users.noreply.github.com)
This project is licensed under the MIT License - see the LICENSE file for details.
- FastAPI - Modern web framework
- python3-saml - SAML implementation
- python-ldap - LDAP integration
- webauthn - WebAuthn/FIDO2 support
For issues and questions:
- GitHub Issues: https://github.com/tsautier/RoXX/issues
- Email: tsautier@users.noreply.github.com
Built with β€οΈ for secure, scalable authentication