Created
November 18, 2012 04:44
-
-
Save jedda/4103604 to your computer and use it in GitHub Desktop.
Configuring basic RADIUS on OS X 10.8 Server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configuring basic RADIUS on OS X 10.8 Server | |
| # Jedda Wignall | |
| # http://jedda.me | |
| # Full writeup at: http://jedda.me/2012/11/configuring-basic-radius-os-108-server/ | |
| # create the SACL for access to RADIUS | |
| dseditgroup -q -o create -u <admin user> -n . com.apple.access_radius | |
| # configure radiusd to log both successful and failed authentications | |
| radiusconfig -setconfig auth yes | |
| radiusconfig -setconfig auth_badpass yes | |
| radiusconfig -setconfig auth_goodpass yes | |
| # configure rotation of logs and accounting data - maximum 15 files kept | |
| radiusconfig -autorotatelog on -n 15 | |
| # add a RADIUS authenticator with a specific IP/host and shortname | |
| radiusconfig -addclient <IP/host> <shortname> other | |
| # create/export certificate identity | |
| -- In Keychain Access, export both your certificate and private key to a .p12 file. Note the export password. | |
| # split your .p12 identity into separate certificate and private key with no encryption | |
| openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts | |
| openssl pkcs12 -in /Users/admin/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys | |
| # install the certificate and key into the radiusd configuration files | |
| radiusconfig -installcerts /etc/raddb/certs/server.key /etc/raddb/certs/server.crt | |
| # test run radiusd with a debug flag. you should see "Ready to process requests." | |
| radiusd -X | |
| # when ready, kill radiusd with Control-C, and use radiusconfig to start RADIUS properly | |
| radiusconfig -start | |
| # make the RADIUS logs accessible to read | |
| chmod -R 775 /private/var/log/radius | |
| # users in the group com.apple.access_radius should now be able to authenticate and be authorized for access on the authenticators you have configured |
You might have to run this through Google Translate, but these instructions appear to work for Yosemite:
http://qiita.com/kunichiko/items/602abf45758c85e1e163
You could also take a look at:
https://github.com/NeuralGlue/OSX_Server_Notes/blob/master/Radius%20in%20Yosemite%20Server.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Followed these instructions, substituting /Library/Server/radius for /etc. This is on Yosemite.
rlm_eap_tls: retrieving password from keychain for private key file /Library/Server/radius/raddb/certs/server.key
rlm_eap_tls: keychain item name for private key password is 168F5CDF5CDB47A6614CD0414E708F9A9093801A
rlm_eap_tls: Unable to find private key password in keychain
rlm_eap_tls: Error reading private key password from keychain
rlm_eap: Failed to initialize type tls
/Library/Server/radius/raddb/eap.conf[17]: Instantiation failed for module "eap"
/Library/Server/radius/raddb/sites-enabled/default[321]: Failed to find "eap" in the "modules" section.
/Library/Server/radius/raddb/sites-enabled/default[256]: Errors parsing authenticate section.