Configure RADIUS on OS X Moutain Lion 10.8

Apple’s OS X Server has always been capable of running as a RADIUS server for as long as I care to remember. The now defunct Server Admin was able to target Apple’s Airport Extreme and Time Capsule, enabling them to create WPA2/WPA Enterprise Wifi networks. 

The underlying technology back then and still is freeRADIUS. 

Today however, there are no more tools available other than Server app, which if your Apple base station is configured in a certain way, will show up in the sidebar of Server app.  Setting up RADIUS is now a mere checkbox and requires an Apple base station if you want to enable RADIUS via a GUI. 

Perhaps you don’t have an Apple base station and/or would like to set up RADIUS for another type of Wifi access point. Fear not there is hope! You just have to delve into command line to get things done. 

This guide assumes you have OS X 10.8.3 installed with Server app, Open Directory configured and have a WPAx Enterprise capable Wifi access point with an IP address of 192.168.1.1

There are a few steps to complete.

  • Add a Network Access Server (NAS)
  • Configure certificates
  • Configure Wifi Access Point

Add a Network Access Server (NAS)

Open up the Terminal app and enter a root shell by running sudo -s and entering your admin password.

Add your NAS device as follow. Note: After running the command you’ll be prompted enter a shared secret, ideally this should be a strong password.

radiusconfig -addclient 192.168.1.1 ZyXEL

You can double check that it was added correctly by running this:

radiusconfig -naslist

Configuring Certificates

For this exercise we will make use of a default SSL certificate that can be found in /etc/certificates, called Server Fallback SSL Certificate.

Installing the certificate is done by running radiusconfig -installcerts <private-key> <certificate> <trusted-ca>. Your certificates will have a different name. Just follow my example and replace certname​ in each of the three paths with your certificate's name in the command below.

radiusconfig -installcerts /etc/certificates/certname.key.pem /etc/certificates/certname.cert.pem /etc/certificates/certname.chain.pem

As we are using a certificates generated via Certificate Assistant, we need to make a tiny adjustment to the eap.conf file in /etc/raddb. To do this we use the following command.

radiusconfig -setconfig private_key_password Apple:UseCertAdmin

For interest sake, all this does is change the eap.conf file as per the before/after screenshot below.

At this point you server is ready to go, test it by running radiusd in debug mode:

radiusd -sfX

This will run your server in debug mode for testing purposes. If all is well, the last line will say “Ready to process requests.”

Configure Wifi Access Point

We still have to configure our Wifi access point though. How you do this will vary from device to device, I will just provide a guideline here of what it looks like on a ZyXEL router’s Wifi configuration.

Once completed, try connecting to your new WPAx Enterprise wifi network and look at the debug output of radiusd. You should see some output saying “Sending Access-Accept of id.....” That indicates that the client was accepted and is connected.

Hit Ctrl+C to stop the server.

Finally have radiusd launch persistently.

launchctl load -w /System/Library/LaunchDaemons/org.freeradius.radiusd.plist

Exit your root shell.

You now have a very basic RADIUS server running on OS X Mountain Lion!

In a follow up post I will detail a bit more about logging and the SACL that can be implemented on top of our existing RADIUS server.​

Migrate External Time Machine to OS X Server (part 2)

If you're curious and wondered whether its possible to migrate an external disk Time Machine backup to OS X Server or even a Time Capsule, the answer is: Yes, its very possible! In comparison to part 1 where we migrated Time Capsule backups to OS X Server, we had the luxury of simply moving a sparsebundle disk image. External Time Machine backups do not use sparsebundles, thus we need to create one first.

First, verify the size of the external backup, a simple Finder 'get info' on the external volume will do just fine. We need this to determine the size that will be specified for the disk image we are about to create. E.g., lets say our external backup has a size of 100GB for the data, then just add an additional ±20GB giving us a final figure of 120GB. The reason for adding 20GB to the equation is that when we create the disk image, it needs to create a file system etc which also take up space. Specifying just 100GB will result in an error of not enough disk space available. Mind you 20GB extra is probably overkill but it doesn't really matter as it won't actually make an image thats 120GB in size, think of it as an initial 'soft limit' of sorts.

Again, it's advisable to disable Time Machine in System Preferences on the client. Lets fire up Terminal.app...​

Creating the disk image we'll do the following:

hdiutil create -size 120GB -type SPARSEBUNDLE -fs JHFS+ ~/Desktop/tmbackup.sparsebundle

Mount the newly created image.

hdiutil mount ~/Desktop/tmbackup.sparsebundle

At this point we need to gather our source and target volume identifiers. Make a note of the external Time Machine volume eg. disk0s4, also our target disk image we created (the previous step already shows us this for the sparsebundle) eg. disk1s2.

diskutil list

Unmount the external Time Machine volume

diskutil umount disk0s4

Next using ASR (Apple System Restore), we will transfer the data from the external Time Machine volume to our new Sparsebundle image.

sudo asr --source /dev/disk0s4 --target /dev/disk1s2 --erase

Once completed, eject the mounted sparsebundle.

diskutil eject disk1

Now that we have a sparsebundle, we can follow the same procedure as in Part 1, there is however one additional step to be aware of. Our newly created sparsebundle containing the external drive backup must be associated with the client machine in its new form. Here's how:

Complete the steps in Part 1 (short recap below).

  • ​Copy sparsebundle to OS X Server
  • Change owner and permissions accordingly
  • On client set new Time Machine location to OS X Server

IMPORTANT: Turn Time Machine off immediately after selecting your OS X Server, we don't want the client to do an automatic backup just yet!

On the client machine, make sure the OS X Server Time Machine share is mounted in Finder. Run the following command.

sudo tmutil inheritbackup /Volumes/Backups/tmbackup.sparsebundle

Now you can switch on Time Machine in System Preferences and test the backup! Be sure to initiate a backup as it will trigger Time Machine to also verify the new backup location and sparsebundle. If all went according to plan you have successfully migrated an external Time Machine backup to an OS X Server running the Time Machine service.​

Migrate Time Capsule to OS X Server (part 1)

Recently changes in the office and test environment required some thinking on migrating Time Machine data. In the previous setup, although unsupported, backups was done via an external disk (usb3) connected to an Airport Extreme Base Station (AEBS). This method served the backup needs just fine. At that stage a Mac Pro with plenty 'o RAM was in place but has since been replaced by the late-2012 Mac mini (which has USB3). This prompted a re-think... the external drive connected to the Airport is USB3, whereas the Airport's USB interface is USB2. This of course equates to a bit of a bottleneck in terms of disk performance. As the Mac mini would be running OS X Server, what better than to connect the usb3 drive to it and use the Time Machine service for much improved backup speeds, especially when you're connected with gigabit ethernet! The question then is how difficult is it to migrate a Time Capsule backup to OS X Server? Turns out its really easy, for the most part just a copy and paste exercise with a bit of spice sprinkled on top.

There are two ways to go about this, first the easy one, then the slightly more complicated version.

Method 1 - Client Only

This method can be performed entirely on the client machine (which is currently backing up to Time Capsule).

First, switch off Time Machine in System Preferences. 

Next, mount the Time Capsule backup share point, by clicking on the Time Capsule in the Finder sidebar, then authenticate with the 'admin' password for the Time Capsule. 

Then mount OS X Server's Time Machine backup share point, authenticating with the clients user account for OS X Server. 

Now, drag and drop the sparsebundle disk image from the Time Capsule share point and drop it on the OS X Server's Time Machine Backup share point.

​Depending on the size, this might take some time to copy. Once completed, we have to adjust the permissions of the sparsebundle, else other users will be able to access the backup. To do this, open up Terminal and do the following... Note the name of the file will be different compared to my example as it is derived from your Computer Name in System Preferences > Sharing.

chmod -R 700 /Volumes/Backups/MacMiniClient.sparsebundle

Last step is to select the new destination, being OS X Server. Go to System Preferences > Time Machine. Choose 'select disk...' and pick the Backups share on OS X Server. When prompted, choose 'Replace', followed by entering your username and password for the OS X Server.

Testing is pretty simple. Just enter Time Machine and verify that your backup history is there as before.​

All done.

Method 2 - Server/Client

Here we'll start on the server's side (except for step 1) and then finish up on the client.​ Throughout I'll be using certain paths and names. Yours will be different, therefore amend as necessary.

OS X Server Time Machine destination: /Volumes/TimeMachine/Shared Items/Backups
SparseBundle Disk Image Name: MacMiniClient.sparsebundle

  1. First step is to turn Time Machine off at the client. We don't want the client backing up while we transfer this image.
  2. Next, as per Method 1, mount the Time Capsule's backup volume, this time on the OS X Server. The rest we will complete in Terminal, so fire it up.
  3. Copy the sparsebundle disk image from the mounted Time Capsule volume to your OS X Server's Time Machine destination. (If you need to see progress, you can also copy the file using drag/drop in Finder)
    sudo cp -R /Volumes/Time\ Capsule/MacMiniClient.sparsebundle /Volumes/TimeMachine/Shared\ Items/Backups/MacMiniClient.sparsebundle
  4. Change the owner of the sparsebundle image to the user account that the client will use when connecting to OS X Server's Time Machine service.
    sudo chown -R user1:staff /Volumes/TimeMachine/Shared\ Items/Backups/MacMiniClient.sparsebundle
  5. Set the permissions accordingly. Time Machine service makes use of POSIX permissions to restrict access, so a simple chmod will do the trick. Standard permissions on these sparsebundle images are drwx------+.
    sudo chmod 700 /Volumes/TimeMachine/Shared\ Items/Backups/MacMiniClient.sparsebundle

This completes the part on OS X Server's side.

On our client, it really couldn't be simpler.

  1. Open up System Preferences > Time Machine
  2. Select the new backup destination by choosing your OS X Server's Time Machine backup share.
  3. Authenticate with the same user that we set as the sparsebundle's owner.

Once again, testing is key. Just enter time machine on the client to verify all is well.