Configure RADIUS in Mavericks Server

RADIUS is automatically managed when using Apple Airports. When you open the Server app, if an Airport base station is detected you’ll see it in the Server app sidebar. But what if you want to use RADIUS to authenticate Meraki, Cisco, Aerohive and other device from other vendors? Then we have to enable things differently. To get started, we need to create an com.apple.access_radius, which we can do with Workgroup Manager or with dseditgroup:

dseditgroup -o create -n . -u admin -r RADIUS com.apple.access_radius

Next, place all of the users that have access to the service in the new group. You will need to show system groups to do so. To add a client, first add it to the NAS list:

radiusconfig -addclient 192.168.210.2 meraki.krypted.com other

When prompted for a shared secret,provide the desired shared secret and press enter.

192.168.210.2 added to the list

Open Keychain Access and export the server cert and private key (which we’ll store on our desktop for conversion purposes):

openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys

Install the certs:

radiusconfig -installcerts /etc/raddb/certs/server.key
radiusconfig -installcerts /etc/raddb/certs/server.crt

Test radius in debug mode:

radiusd -X

Kill radius and then start it back up:

radiusconfig -start

To enable logging of requests, use:

radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes

To then configure log rotation:

radiusconfig -autorotatelog on -n 30

Note: Tip of the ‘ole hat to Jedda Wignall for writing this up for 10.8 at https://gist.github.com/jedda/4103604

Comments are closed.