Instantly share code, notes, and snippets.

Embed
What would you like to do?
Configuring basic RADIUS on OS X 10.8 Server
# Configuring basic RADIUS on OS X 10.8 Server
# Jedda Wignall
# http://jedda.me
# Full writeup at: http://jedda.me/2012/11/configuring-basic-radius-os-108-server/
# create the SACL for access to RADIUS
dseditgroup -q -o create -u <admin user> -n . com.apple.access_radius
# configure radiusd to log both successful and failed authentications
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes
# configure rotation of logs and accounting data - maximum 15 files kept
radiusconfig -autorotatelog on -n 15
# add a RADIUS authenticator with a specific IP/host and shortname
radiusconfig -addclient <IP/host> <shortname> other
# create/export certificate identity
-- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password.
# split your .p12 identity into separate certificate and private key with no encryption
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
# install the certificate and key into the radiusd configuration files
radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt
# test run radiusd with a debug flag. you should see "Ready to process requests."
radiusd -X
# when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly
radiusconfig -start
# make the RADIUS logs accessible to read
chmod -R 775 /private/var/log/radius
# users in the group com.apple.access_radius should now be able to authenticate and be authorized for access on the authenticators you have configured
@ncsnetwork

This comment has been minimized.

Show comment
Hide comment
@ncsnetwork

ncsnetwork Jul 1, 2014

In Mavericks 10.9 your documentation Line 16 doesn't work.
I got RADIUS working without the autorotatelog. I have a Cisco Meraki MK12 unit, enabled RADIUS however when I try to connect PC or Mac or iPhone it says unable to authenticate to it. Any ideas?

ncsnetwork commented Jul 1, 2014

In Mavericks 10.9 your documentation Line 16 doesn't work.
I got RADIUS working without the autorotatelog. I have a Cisco Meraki MK12 unit, enabled RADIUS however when I try to connect PC or Mac or iPhone it says unable to authenticate to it. Any ideas?

@xavier-edwarczyk

This comment has been minimized.

Show comment
Hide comment
@xavier-edwarczyk

xavier-edwarczyk Aug 1, 2014

Hi,
Could you check if your users are in com.apple.access_radius group ?
On Mavericks Radius is in /Library/Server/radius/raddb et non in /etc/raddb.
What is your error message in radius.log ?
Bye
Xavier

xavier-edwarczyk commented Aug 1, 2014

Hi,
Could you check if your users are in com.apple.access_radius group ?
On Mavericks Radius is in /Library/Server/radius/raddb et non in /etc/raddb.
What is your error message in radius.log ?
Bye
Xavier

@fuzzyroddis

This comment has been minimized.

Show comment
Hide comment
@fuzzyroddis

fuzzyroddis May 23, 2015

Should I create a new user for <admin user>?

fuzzyroddis commented May 23, 2015

Should I create a new user for <admin user>?

@jlg89

This comment has been minimized.

Show comment
Hide comment
@jlg89

jlg89 Jun 1, 2015

Followed these instructions, substituting /Library/Server/radius for /etc. This is on Yosemite.

rlm_eap_tls: retrieving password from keychain for private key file /Library/Server/radius/raddb/certs/server.key
rlm_eap_tls: keychain item name for private key password is 168F5CDF5CDB47A6614CD0414E708F9A9093801A
rlm_eap_tls: Unable to find private key password in keychain
rlm_eap_tls: Error reading private key password from keychain
rlm_eap: Failed to initialize type tls
/Library/Server/radius/raddb/eap.conf[17]: Instantiation failed for module "eap"
/Library/Server/radius/raddb/sites-enabled/default[321]: Failed to find "eap" in the "modules" section.
/Library/Server/radius/raddb/sites-enabled/default[256]: Errors parsing authenticate section.

jlg89 commented Jun 1, 2015

Followed these instructions, substituting /Library/Server/radius for /etc. This is on Yosemite.

rlm_eap_tls: retrieving password from keychain for private key file /Library/Server/radius/raddb/certs/server.key
rlm_eap_tls: keychain item name for private key password is 168F5CDF5CDB47A6614CD0414E708F9A9093801A
rlm_eap_tls: Unable to find private key password in keychain
rlm_eap_tls: Error reading private key password from keychain
rlm_eap: Failed to initialize type tls
/Library/Server/radius/raddb/eap.conf[17]: Instantiation failed for module "eap"
/Library/Server/radius/raddb/sites-enabled/default[321]: Failed to find "eap" in the "modules" section.
/Library/Server/radius/raddb/sites-enabled/default[256]: Errors parsing authenticate section.

@jlg89

This comment has been minimized.

Show comment
Hide comment
@jlg89

jlg89 Jun 1, 2015

You might have to run this through Google Translate, but these instructions appear to work for Yosemite:
http://qiita.com/kunichiko/items/602abf45758c85e1e163

jlg89 commented Jun 1, 2015

You might have to run this through Google Translate, but these instructions appear to work for Yosemite:
http://qiita.com/kunichiko/items/602abf45758c85e1e163

@NeuralGlue

This comment has been minimized.

Show comment
Hide comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment