title-icon-code

Configuring basic RADIUS on OS X 10.8 Server

For small deployments of Mac OS X Server, RADIUS based Wi-Fi referencing Open Directory can be a clean, secure way to provide employee access to the business network, and mitigates the problems of having one shared passphrase that rarely changes. Apple have provided automatic configuration of RADIUS and Airport base stations in OS X server for a while, but the FreeRADIUS install used by Mac OS X is of course able to provide RADIUS services to non-Apple APs and VPN services. Whilst not recommended for large deployments, this setup can do a very good job for many small to medium businesses with a highly mobile workforce.

In 10.8 server, like many services embraced in years gone by, RADIUS has disappeared into the deep dark depths of command line configuration. The following commands will get basic RADIUS functional on 10.8 Mountain Lion server for use with whichever RADIUS authenticator you wish.

All of the commands below assume that you are elevated to superuser:

sudo -s

Firstly, we have to create the SACL for accessing the RADIUS service:

dseditgroup -q -o create -u -n . com.apple.access_radius

Now, set some logging options for the RADIUS service. We want to log authentication attempts good and bad, and rotate logs and accounting information regularly:

radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes
radiusconfig -autorotatelog on -n 15

Now we are going to add a client (RADIUS authenticator – access point, VPN endpoint). The first argument here is the IP of the client, the second is a shortname (alias), and the third is the client type. In most cases, this is other. More info can be found on types by reading the config files in /etc/raddb:

radiusconfig -addclient <IP> <short-name> other

Now, we need to generate or export an existing certificate for use with the RADIUS service. You need your certificate identity (certificate and private key) in a .p12 file to be referenced in the next set of commands. If you are unsure how to do this, the whole process is completed in the video at the bottom of this post.

Next, split the certificate identity into a separate, unencrypted certificate and private key, then install them into your RADIUS configuration:

openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt

At this stage, you can run radiusd with a debug flag to ensure everything is running as planned. With the -X flag on, you will see far more verbose output than you will ever see in the service logs, so if you are having any trouble, use this flag and look for problems:

radiusd -X

If everything went as planned, you will see Ready to process requests. at the end of your output. Now, add a user to the com.apple.radius_access local server group, and test authentication. You should see a whole lot of output fly by, and eventually catch a Sending-Access-Accept block when the user is authenticated, authorised, and connects.

Now, you can kill the debug process with Control-C, and start the service properly. This will start the RADIUS service and make it persistent across reboots:

radiusconfig -start

With that, you should have a fully functional basic RADIUS setup going. For all the commands inline, head over to this github:gist. For a more involved overview of the steps, check out the video.

The video below is a run through of all the steps required to get basic RADIUS configuration functional on a fresh 10.8 server instance, including Open Directory promotion, user and SACL creation, and importing a new self-signed certificate into your config. In this lab, we are using an Aerohive AP330 access point as the authenticator and access point for our wireless network.


I hope you found the commands and video lab useful.

List of all commands on github:gist

23 Responses to "Configuring basic RADIUS on OS X 10.8 Server"

Add Comment
  1. Josh

    December 17, 2012 at 4:27 am

    Thank you for this guide. It works exceptionally well. One minor correction, or rather edit, I would make is in the code you provide for the dseditgroup command, the user needs to provide a username after the -n flag. You mention this in your video guide, but it didn’t make it in to the text guide.

    Thanks again, awesome work!

    Reply
    • jedda

      December 19, 2012 at 2:33 pm

      Hey Josh. The -n flag of dseditgroup is actually used to set the node location of the edit. In the demo, I used a . (period) to designate the current default node. I asssume you are referring to the -u flag for the username. As we have escalated up using sudo -s, there should be no need to supply a username to the command. I just tried this now on my 10.8 system, and it works as described. If you have not escalated for this command, you can supply the -u and -p flags and arguments to make the authenticated edit all on one line.

      Reply
  2. Henning

    December 19, 2012 at 11:12 pm

    Hi

    Is there any specific reason in not using the standard server certificate in /etc/certificate/server.domainname.toplevel.fingerprint.key.pem or .cert.pem for this? This way mac os x server did this in 10.6 & 10.7 if you used the GUI for this.

    Thanks a lot for you terrific blog.

    henning

    Reply
    • jedda

      December 20, 2012 at 5:44 pm

      Hi Henning. There is no reason that you cannot use the built-in or generated certificate from Server.app. I prefer to separate out my certificates in production use, but that is probably just style, and due to the fact that for the most part I am building leaf certs under an internal certificate authority. If you are going to do this, Apple have a ‘special string’ that you can specify for the private_key_passcode in the eap.conf config file that pulls the passcode programatically. This is obviously far more secure than leaving the key unencrypted or leaving the passcode in plain text in the file. To set this, do the following:

      radiusconfig -setconfig private_key_password Apple:UseCertAdmin

      Thanks for your comments, and I am very glad you are enjoying the content.

      UPDATE: I now see that your other submitted comment suggested just that on the Apple:UseCertAdmin front. Exactly right.

      Reply
  3. Craig H

    January 2, 2013 at 3:18 am

    Thanks for this how to. The video is great.

    I was a little worried when I saw/heard that RADIUS had been “taken out” of 10.8 Server GUI but this has eased my mind for an up coming server rebuild.

    Reply
  4. Craig H

    January 8, 2013 at 2:28 am

    I have shell scripted this (and sort of apple scripted it too).
    I noticed that the service doesn’t like to attempt running while have zero clients listed (at least in a couple of tests),
    so I have added a dummy client. I have also added a standard “Radius Allow” group and nested it as a member of
    the com.apple.access_radius group for ease of use adding users without having to show system accounts.

    It does pop up a prompt for admin username and password when exporting the Identity.p12 from the keychain half way though the scripts no matter what I tried.
    I’m guessing that this would be a security feature.

    I’m looking at getting the mySQL prefpane source and modifying it to make a service on\off toggle for Radius (And/or maybe squid) for in System Preferences.

    The shell script to be run as admin/sudo with elevated privs.

    #!/bin/sh
    AdminName=`whoami`
    dseditgroup -q -o create -u $AdminName -n . com.apple.access_radius
    radiusconfig -setconfig auth yes
    radiusconfig -setconfig auth_badpass yes
    radiusconfig -setconfig auth_goodpass yes
    radiusconfig -autorotatelog on -n 15
    chmod -R 775 /private/var/log/radius
    (sleep 0.5; echo "dummy123pw") | ( script -q /dev/null radiusconfig -addclient 169.123.123.123 dummy other )
    security export -k /Library/Keychains/System.keychain -t identities -f pkcs12 -o /tmp/Identity.p12 -P Password123
    openssl pkcs12 -passin pass:Password123 -in /tmp/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
    openssl pkcs12 -passin pass:Password123 -in /tmp/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
    rm /tmp/Identity.p12
    radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt
    dseditgroup -q -o create -u $AdminName -r 'Radius Allow' radiusallow
    dseditgroup -o edit -n . -a radiusallow -t group com.apple.access_radius
    radiusconfig -start
    exit 1

    And the Applescript …calling shell 😉

    do shell script "
    AdminName=`whoami`
    dseditgroup -q -o create -u $AdminName com.apple.access_radius
    radiusconfig -setconfig auth yes
    radiusconfig -setconfig auth_badpass yes
    radiusconfig -setconfig auth_goodpass yes
    radiusconfig -autorotatelog on -n 15
    chmod -R 775 /private/var/log/radius
    (sleep 0.5; echo \"dummy123pw\") | ( script -q /dev/null radiusconfig -addclient 169.123.123.123 dummy other )
    security export -k /Library/Keychains/System.keychain -t identities -f pkcs12 -o /tmp/Identity.p12 -P Password123
    openssl pkcs12 -passin pass:Password123 -in /tmp/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
    openssl pkcs12 -passin pass:Password123 -in /tmp/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
    radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt
    rm /tmp/Identity.p12
    dseditgroup -q -o create -u $AdminName -r 'Radius Allow' radiusallow
    dseditgroup -o edit -n . -a radiusallow -t group com.apple.access_radius
    radiusconfig -start
    exit 1

    " with administrator privileges

    Thanks again for your video. It made things so much clearer.

    Reply
  5. Pingback: OSX Server: Radius-Server aktivieren und konfigurieren « Hardy's Blog

  6. Shane MacPhillamy

    January 22, 2013 at 8:13 am

    Great article. A question please?

    When you run radiusconfig -addclient how do you get the radius secret associated with the client?

    Reply
    • jedda

      February 4, 2013 at 10:09 pm

      Hey Shane. This is where you are setting the secret that the client uses to associate. Your RADIUS client will have settings to point to a RADIUS server, along with a secret. Simply match what you entered with radiusconfig -addclient, and you’ll be golden.

      Reply
  7. Julian

    February 4, 2013 at 8:38 pm

    This post (and the video) helped me so much…without it, I wouldn’t know where to start and would be stuck reading lots of freeradius documentation!

    Worked perfectly with my Mac Server & Windows AD setup.

    Reply
  8. Threyon

    March 15, 2013 at 11:11 pm

    I keep getting this message when I run the radiusd -X command. What does it mean and how do I fix it?

    radiusd: #### Opening IP addresses and Ports ####
    listen {
    type = “auth”
    ipaddr = *
    port = 0
    Failed binding to authentication address * port 1812: Address already in use
    /private/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812

    Reply
  9. Magnus

    April 15, 2013 at 4:01 am

    I get this errormessage when running the radiusd -X command.
    Failed binding to authentication address * port 1812: Address already in use
    /private/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
    What can I do/what do I need to do to get it working?

    Reply
  10. Leonardo

    April 17, 2013 at 12:04 am

    Hi, thanks for the guide. I have this error:

    Failed binding to accounting address 10.0.0.14 port 1812: Address already in use
    /private/etc/raddb/radiusd.conf[315]: Error binding to port for 10.0.0.14 port 1812

    Reply
    • jedda

      April 29, 2013 at 4:29 pm

      This occurs if port 1812 is already in use, usually because another instance of RADIUS is already running. If you have setup RADIUS in the GUI previously, this could be the case.

      Try unloading the previously running radiusd daemon by pumping this into terminal:

      sudo launchctl unload -w /System/Library/LaunchDaemons/org.freeradius.radiusd.plist

      then start radiusd in debug mode again. I’m fairly sure this will fix things up for you.

      Reply
  11. Marcel

    April 20, 2013 at 12:52 am

    Great detailed article, thank you very much. Will try this next time with some Lancom Access Points …

    One question: If you talk about “small to medium businesses”, how would you define them? Are 150 to 250 mobile devices “small enough” for a Mac mini Server to handle the 802.1X authentifications, if this machine also runs the SMB/AFP shares, DNS, DHCP, Firewall and LDAP?

    Reply
    • jedda

      April 29, 2013 at 4:25 pm

      Hi Marcel,

      It’s a bit hard to say in your specific circumstances. I have definitely had Mac Mini servers serving 250 RADIUS clients simultaneously. Depending on the load on your system for other services (particularly high I/O services like AFP/SMB), you may struggle. In a business with 100+ clients, I would imagine you would be running across several OS X servers for balance and redundancy anyway (OD replicas, ect.). You might want to check out FreeRADIUS’ section on scalability (http://freeradius.org/features/scalability.html).

      Best,

      Jedda

      Reply
  12. Larry C

    April 29, 2013 at 4:36 am

    Well done sir! This allowed me to set up our small office with a hardware vpn to authenticate against our OpenDirectory with ease, and I cannot thank you enough!

    Reply
  13. Mike Eagle

    May 14, 2013 at 4:16 am

    Thank you for this very helpful tutorial. One question? Will the radius service persist between server reboots? How can one ensure the service starts automatically?

    Reply
    • jedda

      May 14, 2013 at 10:58 am

      Hi Mike,

      The radiusconfig -start command loads radiusd into launchd, and will make it persistent across reboots.

      Best,

      Jedda

      Reply
  14. Jeremy Kuzniar

    October 9, 2013 at 7:45 am

    Amazing tutorial and video. With a few modifications, used this to set up Radius server on OSX 10.6.8 with Ubiquiti Unifi UAP-AC NAS devices. Owe you a pint of ale.

    Reply
  15. Pingback: yes > /dev/null · OS X Mavericks Server – Setting Up FreeRADIUS

Submit a comment

Your email address will not be published. Required fields are marked *