-
-
Save jedda/4103604 to your computer and use it in GitHub Desktop.
# Configuring basic RADIUS on OS X 10.8 Server | |
# Jedda Wignall | |
# http://jedda.me | |
# Full writeup at: http://jedda.me/2012/11/configuring-basic-radius-os-108-server/ | |
# create the SACL for access to RADIUS | |
dseditgroup -q -o create -u <admin user> -n . com.apple.access_radius | |
# configure radiusd to log both successful and failed authentications | |
radiusconfig -setconfig auth yes | |
radiusconfig -setconfig auth_badpass yes | |
radiusconfig -setconfig auth_goodpass yes | |
# configure rotation of logs and accounting data - maximum 15 files kept | |
radiusconfig -autorotatelog on -n 15 | |
# add a RADIUS authenticator with a specific IP/host and shortname | |
radiusconfig -addclient <IP/host> <shortname> other | |
# create/export certificate identity | |
-- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password. | |
# split your .p12 identity into separate certificate and private key with no encryption | |
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts | |
openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys | |
# install the certificate and key into the radiusd configuration files | |
radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt | |
# test run radiusd with a debug flag. you should see "Ready to process requests." | |
radiusd -X | |
# when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly | |
radiusconfig -start | |
# make the RADIUS logs accessible to read | |
chmod -R 775 /private/var/log/radius | |
# users in the group com.apple.access_radius should now be able to authenticate and be authorized for access on the authenticators you have configured |
Hi,
Could you check if your users are in com.apple.access_radius group ?
On Mavericks Radius is in /Library/Server/radius/raddb et non in /etc/raddb.
What is your error message in radius.log ?
Bye
Xavier
Should I create a new user for <admin user>
?
Followed these instructions, substituting /Library/Server/radius for /etc. This is on Yosemite.
rlm_eap_tls: retrieving password from keychain for private key file /Library/Server/radius/raddb/certs/server.key
rlm_eap_tls: keychain item name for private key password is 168F5CDF5CDB47A6614CD0414E708F9A9093801A
rlm_eap_tls: Unable to find private key password in keychain
rlm_eap_tls: Error reading private key password from keychain
rlm_eap: Failed to initialize type tls
/Library/Server/radius/raddb/eap.conf[17]: Instantiation failed for module "eap"
/Library/Server/radius/raddb/sites-enabled/default[321]: Failed to find "eap" in the "modules" section.
/Library/Server/radius/raddb/sites-enabled/default[256]: Errors parsing authenticate section.
You might have to run this through Google Translate, but these instructions appear to work for Yosemite:
http://qiita.com/kunichiko/items/602abf45758c85e1e163
You could also take a look at:
https://github.com/NeuralGlue/OSX_Server_Notes/blob/master/Radius%20in%20Yosemite%20Server.md
In Mavericks 10.9 your documentation Line 16 doesn't work.
I got RADIUS working without the autorotatelog. I have a Cisco Meraki MK12 unit, enabled RADIUS however when I try to connect PC or Mac or iPhone it says unable to authenticate to it. Any ideas?