Don’t let the name fool you, RADIUS, or Remote Authentication Dial-In User Service is more widely used today than ever before. This protocol enables remote access to servers and networks and is frequently a fundamental building block of VPNs, wireless networks and other high-security services that have nothing to do with dialup bulletin boards from the 80s.
I’ve run RADIUS services on Mac servers for years. But as that code starts to become stale and no longer supported, let’s look at running a basic RADIUS service on a network appliance, such as a Synology. To get started, open Package Manager, click All in the sidebar and then search for RADIUS.
Click Install for the RADIUS service.
Once installed, open RADIUS Server from the application menu in the upper left hand corner of the screen.
The options aren’t like raccoon. You can select a port, choose a directory service (which covers the authentication and a bit of the authorization portions of RADIUS. Click Clients and then Add.
Here you can configure a shared secret for a client, and allow for the source IP and netmask. To grab your certificate for deployment to clients, open the Control Panel, then Security, then Certificate and export the .p12. If you’re using this RADIUS service to enable other services for Macs, you’ll likely then want to distribute that certificate in a profile. We’ll cover how to leverage RADIUS for other services in other articles.
Recently, I did an article for afp548.com where I explained that you can import a pkcs12 file into an 802.1x profile using networksetup. In that type of environment you would be leveraging TLS or TTLS with the Mac OS X client acting as the supplicant and the certificate required to establish authentication with the authenticator. So you need the certificate to get started, but how do you get the pkcs12 and dish it out to clients programatically? We’re going to start out with a new keychain where we’ve imported the certificate into that keychain (or skip this step if you already have a p12 file). First, find the certificate and verify the name, as this is very important to networksetup. For this, I like to use the security command’s find-certificate option. Here we’re going to look for radius.krypted.com:
security find-certificate -c radius.krypted.comNow we’ll use the export verb of the security command to dump a .p12 file from the specially created keychain called 8021xkey,keychain to my desktop:
security export -k 8021xkey.keychain -t certs -f pkcs12 -o ~/Desktop/krypted.p12When run you’ll be asked for a password to give the new p12 for decryption. Once we have the keychain it can easily be imported, as we will do from the desktop of a client system:
security import ~/Desktop/krypted.p12 -f pkcs12Now we can use the p12 along with the -settlsidentityonsystemprofile or -settlsidentityonuserprofile. For example (using the default AirPort as the service and mysecretpassword as the password to decrypt the p12):
networksetup -settlsidentityonsystemprofile AirPort ~/Desktop/krypted.p12 mysecretpasswordOverall, at this point you can finally automate the process of setting up the 802.1x aspect of a deployment using a script or a package. Simply setup profiles at the GUI, import them into the new computer (assuming you have setup the service names before hand) and if need be import the certificate. Much testing required though…