RADIUS is automatically managed when using Apple Airports. When you open the Server app, if an Airport base station is detected you’ll see it in the Server app sidebar. But what if you want to use RADIUS to authenticate Meraki, Cisco, Aerohive and other device from other vendors? Then we have to enable things differently. To get started, we need to create an com.apple.access_radius, which we can do with Workgroup Manager or with dseditgroup:
dseditgroup -o create -n . -u admin -r RADIUS com.apple.access_radius
Next, place all of the users that have access to the service in the new group. You will need to show system groups to do so. To add a client, first add it to the NAS list:
radiusconfig -addclient 192.168.210.2 meraki.krypted.com other
When prompted for a shared secret,provide the desired shared secret and press enter.
192.168.210.2 added to the list
Open Keychain Access and export the server cert and private key (which we’ll store on our desktop for conversion purposes):
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
Install the certs:
radiusconfig -installcerts /etc/raddb/certs/server.key
radiusconfig -installcerts /etc/raddb/certs/server.crt
Test radius in debug mode:
radiusd -X
Kill radius and then start it back up:
radiusconfig -start
To enable logging of requests, use:
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes
To then configure log rotation:
radiusconfig -autorotatelog on -n 30
Note: Tip of the ‘ole hat to Jedda Wignall for writing this up for 10.8 at https://gist.github.com/jedda/4103604
