One small project that has been lingering on my list is to setup vpn for our internal network and allow employees to authenticate with their ldap credentials.  I decided to use a PPTP vpn server because OSX has that client built-in to the OS, which makes things easier for me.. and everyone else.  The PPTP server I have setup to use provides two auth methods: local database of users or a radius server.  After some reading, I found you can setup a freeradius server to query a specified ldap server for user accounts… sweet!

Setting up freeradius on an Ubuntu server is very simple if you use apt-get.  So that’s what I did, and after tinkering with the server settings for the good part of a day I was still having problems successfully authenticating to the server with my ldap credentials.  There is a test utility that comes with freeradius called radtest and makes testing your login very easy.  The error logs were of no help either.  So I gave up.

Not really, but I went to a Jerry for ideas and he said “dude, I think there is a radius server built into OSX server”.  Come to find out, there is a freeradius server pre-installed in OSX 10.5 and 10.6 servers, but out of the box it is setup to manage authentication for airports on your network.

After some searching on the net, I found that Apple’s install of radius is actually a complete freeradius server that has been configured to Apple’s liking.  By default, the radius server tries to authenticate users against the /etc/passwd file, but that can be changed to auth against open directory very easily.  You will need to change the following in /etc/raddb/users.

DEFAULT Auth-Type = System
Fall-Through = 1

Change this to:

DEFAULT Auth-Type = opendirectory
Fall-Through = 1

And since our LDAP is already running on OSX 10.5, all I had to do is make the change and start the radius service.  I used the radtest script to verify it was working properly.

To allow our VPN server to auth against the new radius server I had to add the VPN server address to /etc/raddb/clients.conf as an allowed client.  I finished setting up the VPN server with the new authenication method and now all I have to do is train our staff how to use our new VPN connection…

If you have problems, you are able to enable some extra logging features for the radius server.  Run the following commands:

$ sudo radiusconfig -setconfig log_auth yes
$ sudo radiusconfig -setconfig log_auth_goodpass yes
$ sudo radiusconfig -setconfig log_auth_badpass yes

Update:

With the release of Mac OS 10.6, you no longer have to edit the /etc/raddb/users file.  The built-in freeradius server looks at open directory for users by default.  You still need to edit the clients.conf file according to the included instructions.

If you happen to have multiple certificates on your server, you will have to manually choose the certificate under the Radius service Settings.  If you do not, the configuration assistant will open when you try to start the service, which requires you to add Airports to continue.

2 Responses to “Use OS X server built-in Radius service for airport authentication as a fully functional free radius server”

  1. Robert

    Hi,

    thank you for the instructions. Do you have any guides as well how to use the open directory NOT for users by default but for machine accounts (trusted bind)? The reason is I want to create system WLAN profiles so that the machine is already connected to the WLAN BEFORE a user logs on.

    The better solution would be a machine certificate but I do absolutely have no idea how to realize this with OS X Server and freeRadius on it. I’m using currently version 10.7.3.

    My workaround in place is that I’ve created a dedicated WLAN user account which is configured in the 802.1x profile to log on to the wireless lan.

    Cheers

    Robert

  2. Hardy

    Hi,

    thanks for the info. I’m running 10.8 Server now, and I do not succeed to add a TimeCapsule as described by Apple, since the network topology does not allow the prerequisites described.

    So, I assume that it should be possible to add the TC anyway, and to get the Radius server up and running using the radiusconfig command using the Terminal.

    As I’m not really a novice to the terminal, but definitely not an expert using radius – do have an idea which steps to take?

    Greetings
    Hardy

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>