Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Configuring basic RADIUS on OS X 10.8 Server
# Configuring basic RADIUS on OS X 10.8 Server
# Jedda Wignall
# Full writeup at:
# create the SACL for access to RADIUS
dseditgroup -q -o create -u <admin user> -n .
# configure radiusd to log both successful and failed authentications
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes
# configure rotation of logs and accounting data - maximum 15 files kept
radiusconfig -autorotatelog on -n 15
# add a RADIUS authenticator with a specific IP/host and shortname
radiusconfig -addclient <IP/host> <shortname> other
# create/export certificate identity
-- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password.
# split your .p12 identity into separate certificate and private key with no encryption
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
# install the certificate and key into the radiusd configuration files
radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt
# test run radiusd with a debug flag. you should see "Ready to process requests."
radiusd -X
# when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly
radiusconfig -start
# make the RADIUS logs accessible to read
chmod -R 775 /private/var/log/radius
# users in the group should now be able to authenticate and be authorized for access on the authenticators you have configured

In Mavericks 10.9 your documentation Line 16 doesn't work.
I got RADIUS working without the autorotatelog. I have a Cisco Meraki MK12 unit, enabled RADIUS however when I try to connect PC or Mac or iPhone it says unable to authenticate to it. Any ideas?

Could you check if your users are in group ?
On Mavericks Radius is in /Library/Server/radius/raddb et non in /etc/raddb.
What is your error message in radius.log ?

Should I create a new user for <admin user>?

jlg89 commented Jun 1, 2015

Followed these instructions, substituting /Library/Server/radius for /etc. This is on Yosemite.

rlm_eap_tls: retrieving password from keychain for private key file /Library/Server/radius/raddb/certs/server.key
rlm_eap_tls: keychain item name for private key password is 168F5CDF5CDB47A6614CD0414E708F9A9093801A
rlm_eap_tls: Unable to find private key password in keychain
rlm_eap_tls: Error reading private key password from keychain
rlm_eap: Failed to initialize type tls
/Library/Server/radius/raddb/eap.conf[17]: Instantiation failed for module "eap"
/Library/Server/radius/raddb/sites-enabled/default[321]: Failed to find "eap" in the "modules" section.
/Library/Server/radius/raddb/sites-enabled/default[256]: Errors parsing authenticate section.

jlg89 commented Jun 1, 2015

You might have to run this through Google Translate, but these instructions appear to work for Yosemite:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment