Tiny Deathstars of Foulness

RADIUS is automatically managed when using Apple Airports. When you open the Server app, if an Airport base station is detected you’ll see it in the Server app sidebar. But what if you want to use RADIUS to authenticate Meraki, Cisco, Aerohive and other device from other vendors? Then we have to enable things differently. To get started, we need to create an, which we can do with Workgroup Manager or with dseditgroup: dseditgroup -o create -n . -u admin -r RADIUS Next, place all of the users that have access to the service in the new group. You will need to show system groups to do so. To add a client, first add it to the NAS list: radiusconfig -addclient other When prompted for a shared secret,provide the desired shared secret and press enter. added to the list Open Keychain Access and export the server cert and private key (which we’ll store on our desktop for conversion purposes): openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys Install the certs: radiusconfig -installcerts /etc/raddb/certs/server.key radiusconfig -installcerts /etc/raddb/certs/server.crt Test radius in debug mode: radiusd -X Kill radius and then start it back up: radiusconfig -start To enable logging of requests, use: radiusconfig -setconfig auth yes radiusconfig -setconfig auth_badpass yes radiusconfig -setconfig auth_goodpass yes To then configure log rotation: radiusconfig -autorotatelog on -n 30 Note: Tip of the ‘ole hat to Jedda Wignall for writing this up for 10.8 at

October 24th, 2013

Posted In: Mac OS X Server, Mac Security

Tags: , , ,