cjanis/gist:fdaed8d5294e96f5ba98

## gistfile1.sh
# turn on sudo
sudo su
# enter admin user password

# create the SACL for access to RADIUS
dseditgroup -q -o create -u <admin user> -n . com.apple.access_radius

# configure radiusd to log both successful and failed authentications
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes

# configure rotation of logs and accounting data - maximum 30 files kept
radiusconfig -autorotatelog on -n 30

# add a RADIUS authenticator with a specific IP/host (if you're using Airport routers, be sure to set a static IP for your server, and be sure to set a static IP address for your routers as well) and shortname
radiusconfig -addclient <IP/host> <shortname> other

# create/export certificate identity (create a certificate by using Certificate Assistant -> Create a certificate)
-- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password.

# split your .p12 identity into separate certificate and private key with no encryption
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys

# install the certificate and key into the radiusd configuration files
radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt

# test run radiusd with a debug flag. you should see "Ready to process requests."
radiusd -X

# when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly
radiusconfig -start

# make the RADIUS logs accessible to read
chmod -R 775 /private/var/log/radius

# users in the group com.apple.access_radius should now be able to authenticate and be authorized for access on the authenticators you have configured

# add new users in server manager, be sure to give them access to com.apple.access_radius, after adding users stop and restart radius server

# view logs in finder
open /private/var/log/radius
	# turn on sudo
	sudo su
	# enter admin user password

	# create the SACL for access to RADIUS
	dseditgroup -q -o create -u <admin user> -n . com.apple.access_radius

	# configure radiusd to log both successful and failed authentications
	radiusconfig -setconfig auth yes
	radiusconfig -setconfig auth_badpass yes
	radiusconfig -setconfig auth_goodpass yes

	# configure rotation of logs and accounting data - maximum 30 files kept
	radiusconfig -autorotatelog on -n 30

	# add a RADIUS authenticator with a specific IP/host (if you're using Airport routers, be sure to set a static IP for your server, and be sure to set a static IP address for your routers as well) and shortname
	radiusconfig -addclient <IP/host> <shortname> other

	# create/export certificate identity (create a certificate by using Certificate Assistant -> Create a certificate)
	-- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password.

	# split your .p12 identity into separate certificate and private key with no encryption
	openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
	openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys

	# install the certificate and key into the radiusd configuration files
	radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt

	# test run radiusd with a debug flag. you should see "Ready to process requests."
	radiusd -X

	# when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly
	radiusconfig -start

	# make the RADIUS logs accessible to read
	chmod -R 775 /private/var/log/radius

	# users in the group com.apple.access_radius should now be able to authenticate and be authorized for access on the authenticators you have configured

	# add new users in server manager, be sure to give them access to com.apple.access_radius, after adding users stop and restart radius server

	# view logs in finder
	open /private/var/log/radius