Always Remember: With Gusto Comes Data Loss.

Configuring RADIUS on OS X Server (10.8-10.9)

OS X Server comes with FreeRADIUS pre-installed, but does not have any GUI interface for enabling or configuring it[1]. This guide will walk you through, step-by-step, how to enable, configure, and test your RADIUS server. I’ll probably follow up with a separate guide on configuring various devices to work with the FreeRADIUS server you will be configuring here. This guide also assumes that you are using this server as your ODM. Lastly, RADIUS makes use of certificates so you can generate a self-signed one (or use the one created when you initially setup your server), or get “proper”, it doesn’t matter for the functionality of the service.

All of the following commands need superuser privileges, so either sudo all of them or do:

sudo su

 

Now, for some reason OSX Server doesn’t come with a preset SACL for the RADIUS service, despite having it already installed. This is easily enough fixed by typing the following (don’t forget the “.” following the -n):

dseditgroup -o create -n . -u <your_admin> -r RADIUS com.apple.access_radius

 

Once you have done that, open server.app and go to the Groups section. You must turn on “Show System Accounts” from the view Menu, then select “All Groups” from the dropdown in the main window. You should now see com.apple.radius as a group. Go ahead and edit this group and add any users you wish to be authorized to access your wireless.

Now that the users and groups are all setup, we can begin configuring the RADIUS server itself. The first thing to set is the clients you wish to have access to it. This is done one by one using the command below. For obvious reasons, I suggest that these devices be given a static IP (or static map in DHCP) – if their IP address changes it will break your authentication. The “short-name” is just a nickname you give the device – I tend to just call it wap1 or something similar. Unless you already know you need to change the last field, then “other” is exactly what you want.

radiusconfig -addclient IP-address short-name other

 

To give you an example of this command being run for a Ruckus AP, it would look something like this:

radiusconfig -addclient 10.72.10.5 wap1 other

 

Next we are going to install the certificates that RADIUS will utilize. The first thing to do here is to export them from your Keychain as a .p12 file. You do this by opening Keychain Access, selecting the certificate you wish to use, and going to File > Export. When exporting as a .p12 file, you will be asked to set a password – you will need this in the next step. For this example, I will assume you named the .p12 file “wifi.p12” and placed it on your desktop. We now need to split this certificate into a its component pieces and place them in a safe place. Follow the commands below to accomplish this (don’t forget to change the username!).

openssl pkcs12 -in /Users/josh/Desktop/wifi.p12 -out /etc/raddb/certs/wifi.key -nodes -nocerts
openssl pkcs12 -in /Users/josh/Desktop/wifi.p12 -out /etc/raddb/certs/wifi.crt -nodes -nokeys
radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/wifi.crt

 

Lastly, if you want to enable logging, you can do so with the commands below. Depending on your setup and what you use RADIUS for, you may not need or want logging. Personally, I leave them on because I have a script (which I may share in a future post) that checks the logs and alerts me on any unauthorized attempts at logging in. You can turn any of this on or off at will, so don’t worry about changing your mind at any time. The last line controls the log rotation and in this example tells it to rotate logs once every 30 days. If you want logging on, I always suggest utilizing log rotation as it will keep a single log from becoming absurdly large and cumbersome.

radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes
radiusconfig -autorotatelog on -n 30

 

Finally, you are ready to start the RADIUS process.

radiusconfig -start

 

Lastly, if you did all of this using “sudo su”, you will need to change the default permissions on the folder that the logs are written to, or else Console will not be able to read them. To do this, enter the following:

chmod -R 755 /var/log/radius

 

Congratulations, you now have a fully functional RADIUS server up and running. You still need to configure your devices to talk to the RADIUS server, but I’ll cover that in a later post since most devices are pretty simple, or already have plenty of guides out there.


[1] If an Apple Airport is detected on the network, a GUI interface will automatically appear in the Server App. This guide is intended for people that do not, or can not, use Apple hardware for their Wireless – or want to use RADIUS authentication for other devices.


Special thanks to Jedda for his write up on doing this in 10.8 server.

5 thoughts on “Configuring RADIUS on OS X Server (10.8-10.9)

Leave a comment

Your email address will not be published. Required fields are marked *