10.5: Enable full RADIUS support on OS X Server

OS X 10.5 Server comes with a Radius server, but at the surface, it seems that Apple only ships with support for wireless access stations. However, the foundation is a fully working FreeRadius server.

When trying to get the Radius server to work together with our Checkpoint firewall for VPN authentication, I found that the Radius server tries to authenticate the users against the /etc/passwd file. However, for authorization, it correctly queries the OpenDirectory. I opened a support call with Apple, and I eventually received the following instructions to change the behavior.

Read on to see the response I received from Apple...

Here's what Apple told me...(robg adds: I have trimmed the email from Apple, and edited it a bit for easier reading, but I didn't modify any of the actual instructions):

Apple included RADIUS services in Leopard server to Apply support for our own Access points, (Airport Express and Extreme), Apple may continue work to implement further functions and support, but at this stage, RADIUS in Leopard Services configures AirPort Base Stations. But as you pointed out under the hood, Leopards RADIUS Service is really 'freeRADIUS.'

Regarding this error:

Tue Nov 20 15:02:19 2007 : Auth: rlm_opendirectory: User <****> is authorized.
Tue Nov 20 15:02:19 2007 : Auth: rlm_unix: [****]: invalid password

By default, the RADIUS process doesn't know how to deal with the request when it comes in, so the request falls through to the default authentication type of a Unix password file (System). In other words, it doesn't know to look in OpenDirectory for the MAC Address. To correct this, you need to change one line in /etc/raddb/users. At about line 153, you'll see this:

DEFAULT    Auth-Type = System
    Fall-Through = 1

Change this to:

DEFAULT	Auth-Type = opendirectory
    Fall-Through = 1

After making this change, you'll have to restart the RADIUS process, this should solve your issue. Furthermore, the logging pane may not show all information that is needed to troubleshoot RADIUS issues. But as the service is based on freeRADIUS, there are more logs that can be started (and stopped). Specifically, the RADIUS process can log all authentication requests, along with a valid password or invalid password. To do this, type the following in terminal from the server:

$ sudo radiusconfig -setconfig log_auth yes
$ sudo radiusconfig -setconfig log_auth_goodpass yes
$ sudo radiusconfig -setconfig log_auth_badpass yes

[robg adds: I haven't tested this one, not having a Server machine.]

From our Sponsor...

The macosxhints Poll

iPad_poll_#1

10.5: Enable full RADIUS support on OS X Server | 9 comments | Create New Account

Click here to return to the '10.5: Enable full RADIUS support on OS X Server' hint

The following comments are owned by whomever posted them. This site is not responsible for what they say.

10.5: Enable full RADIUS support on OS X Server
Authored by: ncudmore on Fri, Apr 18 2008 at 9:22AM PDT

I've been testing this on OS X server 10.5.2...

You'll also need to update the clients.conf file - also found in /etc/raddb .

This stores the configuration of machines/devices that can access the radius server, otherwise you'll get errors such as

<date> : Error: Ignoring request from unknown client 192.168.1.111:1165

There are a few examples in there single client, network etc. so you can just edit the text file and customize it, before restarting the service.

10.5: Enable full RADIUS support on OS X Server
Authored by: nick.welsh on Wed, Jun 11 2008 at 4:17AM PDT

Thanks for this info, 1 question how do I start the RADIUS service if I don't have an Airport Base station, can not finish configration GUI with out basestation

Nick W

10.5: Enable full RADIUS support on OS X Server
Authored by: kainewynd2 on Wed, Jun 11 2008 at 11:54AM PDT

You're overthinking it...

Just don't use the Configuration Tool - click start instead.

This works on an Advanced setup anyway.

10.5: Enable full RADIUS support on OS X Server
Authored by: RmACK on Tue, Oct 28 2008 at 10:55PM PDT

Same here, but I FOUND A SOLUTION!!!! Have spent hours searching the net but finally poked around and found the bit of server admin that is that wizard. I will give the path but obviously you have to go "show package contents" several times if you do this through finder.

 Applications/Server/Server Admin.app/Contents/Resources/RoleBasedSetup.bundle/Contents/Plugins/RadiusPlugin/Contents/Resources/RadiusSteps.plist

Double click on the plist and uncheck the enabled value for Item 6 which has identifier string Radius.AddBaseStations Hit save. Launch server admin. Now the RADIUS configure wizard will SKIP that nasty step where you have to have an airport to select from the list. Wow.

10.5: Enable full RADIUS support on OS X Server
Authored by: kainewynd2 on Wed, Jun 11 2008 at 11:55AM PDT

Oh, you might be able to get away with: serveradmin start vpn

10.5: Enable full RADIUS support on OS X Server
Authored by: TvE on Thu, Sep 4 2008 at 11:19AM PDT

Hmm - I am easily able to authenticate to my OD without the change mentioned in this hint�

10.5: Enable full RADIUS support on OS X Server
Authored by: mcnaugha on Tue, Jun 2 2009 at 5:43AM PDT

If you set the RADIUS certificate correctly (it defaults to test certificates which cannot be used) and then use the "Add..." button to add in third-party APs then you can start the service. The service will not start while the certificates are at the test ones because a 'dh' file is missing. The GUI shows "Custom Configuration..." when its set to the test certificates.

When using the "Add..." button you need to specify an AP type. These are defined and you must use the relevant one of the following: cisco, computone, livingston, max40xx, multitech, netserver, pathras, patton, portslave, tc, usrhiper, other. I was testing with Linksys AP's and they worked with the 'cisco' type.

I didn't test this without changing the authent bit to opendirectory. So I can't confirm that it works without changing this. So I don't know if TvE is referring to this when using third-party APs. If TvE is just using AirPorts then the point of this hint has been missed.

10.5: Enable full RADIUS support on OS X Server
Authored by: jpwatson on Mon, Jul 20 2009 at 4:25PM PDT

Labeling the AP type made a huge difference. I'm using a D-Link DAP-2553 and put in "dlink" which worked fine.

Also, if you're having issues with Windows boxes, check out this thread, specifically the post by vette4:

http://discussions.apple.com/thread.jspa?messageID=7861437

10.5: Enable full RADIUS support on OS X Server
Authored by: tkrauter on Wed, Sep 9 2009 at 7:41AM PDT

We have been using RADUS/Open Directory for our wireless for about a year. We have an Enterasys wireless controller with 20 access points and about 100 wireless users at a time and 1000 user in open directory. The enterasys controller handles all the authentication, so the only address we have in the "Base Station" configuration is the address of the controller. We do not specify a "Type" at all.

It was fairly simple to generate a self-signed certificate using the Server Admin tool, then select the certificate in the settings tab of RADIUS. We have had some minor issues and made some little tweaks to the config file to accommodate more user, but everything worked from the beginning.

All things mentioned in the article were already configured on our server. Maybe it was the sequence in which services were installed/started that made a difference.

Hint Options

Search

From our Sponsor...

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

The Editor's Corner...

Hints by Topic

News from Macworld

The macosxhints Poll