OSX Yosemite Server RADIUS

gistfile1.sh

# Configuring basic RADIUS on OS X 10.8 Server
# Jedda Wignall
# http://jedda.me
#
# Updated to 10.10 by Robert Hafner
# http://blog.tedivm.com

# Full writeup at: http://jedda.me/2012/11/configuring-basic-radius-os-108-server/

# create the SACL for access to RADIUS
dseditgroup -q -o create -u <admin user> -n . com.apple.access_radius

# configure radiusd to log both successful and failed authentications
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes

# configure rotation of logs and accounting data - maximum 15 files kept
radiusconfig -autorotatelog on -n 15

# add a RADIUS authenticator with a specific IP/host and shortname
radiusconfig -addclient <IP/host> <shortname> other

# create/export certificate identity
-- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password.

# split your .p12 identity into separate certificate and private key with no encryption
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /Library/Server/radius/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out/Library/Server/radius/raddb/certs/server.crt -nodes -nokeys

# install the certificate and key into the radiusd configuration files
radiusconfig -installcerts /Library/Server/radius/raddb/certs/server.key /Library/Server/radius/raddb/certs/server.crt

# test run radiusd with a debug flag. you should see "Ready to process requests."
radiusd -X

# when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly
radiusconfig -start

# make the RADIUS logs accessible to read
chmod -R 775 /private/var/log/radius

# users in the group com.apple.access_radius should now be able to authenticate and be authorized for access on the authenticators you have configured