Configure RADIUS on OS X Moutain Lion 10.8
/Apple’s OS X Server has always been capable of running as a RADIUS server for as long as I care to remember. The now defunct Server Admin was able to target Apple’s Airport Extreme and Time Capsule, enabling them to create WPA2/WPA Enterprise Wifi networks.
The underlying technology back then and still is freeRADIUS.
Today however, there are no more tools available other than Server app, which if your Apple base station is configured in a certain way, will show up in the sidebar of Server app. Setting up RADIUS is now a mere checkbox and requires an Apple base station if you want to enable RADIUS via a GUI.
Perhaps you don’t have an Apple base station and/or would like to set up RADIUS for another type of Wifi access point. Fear not there is hope! You just have to delve into command line to get things done.
This guide assumes you have OS X 10.8.3 installed with Server app, Open Directory configured and have a WPAx Enterprise capable Wifi access point with an IP address of 192.168.1.1
There are a few steps to complete.
- Add a Network Access Server (NAS)
- Configure certificates
- Configure Wifi Access Point
Add a Network Access Server (NAS)
Open up the Terminal app and enter a root shell by running sudo -s and entering your admin password.
Add your NAS device as follow. Note: After running the command you’ll be prompted enter a shared secret, ideally this should be a strong password.
radiusconfig -addclient 192.168.1.1 ZyXEL
You can double check that it was added correctly by running this:
radiusconfig -naslist
Configuring Certificates
For this exercise we will make use of a default SSL certificate that can be found in /etc/certificates, called Server Fallback SSL Certificate.
Installing the certificate is done by running radiusconfig -installcerts <private-key> <certificate> <trusted-ca>. Your certificates will have a different name. Just follow my example and replace certname in each of the three paths with your certificate's name in the command below.
radiusconfig -installcerts /etc/certificates/certname.key.pem /etc/certificates/certname.cert.pem /etc/certificates/certname.chain.pem
As we are using a certificates generated via Certificate Assistant, we need to make a tiny adjustment to the eap.conf file in /etc/raddb. To do this we use the following command.
radiusconfig -setconfig private_key_password Apple:UseCertAdmin
For interest sake, all this does is change the eap.conf file as per the before/after screenshot below.
At this point you server is ready to go, test it by running radiusd in debug mode:
radiusd -sfX
This will run your server in debug mode for testing purposes. If all is well, the last line will say “Ready to process requests.”
Configure Wifi Access Point
We still have to configure our Wifi access point though. How you do this will vary from device to device, I will just provide a guideline here of what it looks like on a ZyXEL router’s Wifi configuration.
Once completed, try connecting to your new WPAx Enterprise wifi network and look at the debug output of radiusd. You should see some output saying “Sending Access-Accept of id.....” That indicates that the client was accepted and is connected.
Hit Ctrl+C to stop the server.
Finally have radiusd launch persistently.
launchctl load -w /System/Library/LaunchDaemons/org.freeradius.radiusd.plist
Exit your root shell.
You now have a very basic RADIUS server running on OS X Mountain Lion!
In a follow up post I will detail a bit more about logging and the SACL that can be implemented on top of our existing RADIUS server.