Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Enable full RADIUS support on OS X Server OS X Server
OS X 10.5 Server comes with a Radius server, but at the surface, it seems that Apple only ships with support for wireless access stations. However, the foundation is a fully working FreeRadius server.

When trying to get the Radius server to work together with our Checkpoint firewall for VPN authentication, I found that the Radius server tries to authenticate the users against the /etc/passwd file. However, for authorization, it correctly queries the OpenDirectory. I opened a support call with Apple, and I eventually received the following instructions to change the behavior.

Read on to see the response I received from Apple...

Here's what Apple told me...(robg adds: I have trimmed the email from Apple, and edited it a bit for easier reading, but I didn't modify any of the actual instructions):

Apple included RADIUS services in Leopard server to Apply support for our own Access points, (Airport Express and Extreme), Apple may continue work to implement further functions and support, but at this stage, RADIUS in Leopard Services configures AirPort Base Stations. But as you pointed out under the hood, Leopards RADIUS Service is really 'freeRADIUS.'

Regarding this error:
Tue Nov 20 15:02:19 2007 : Auth: rlm_opendirectory: User <****> is authorized.
Tue Nov 20 15:02:19 2007 : Auth: rlm_unix: [****]: invalid password
By default, the RADIUS process doesn't know how to deal with the request when it comes in, so the request falls through to the default authentication type of a Unix password file (System). In other words, it doesn't know to look in OpenDirectory for the MAC Address. To correct this, you need to change one line in /etc/raddb/users. At about line 153, you'll see this:
DEFAULT    Auth-Type = System
    Fall-Through = 1
Change this to:
DEFAULT	Auth-Type = opendirectory
    Fall-Through = 1
After making this change, you'll have to restart the RADIUS process, this should solve your issue. Furthermore, the logging pane may not show all information that is needed to troubleshoot RADIUS issues. But as the service is based on freeRADIUS, there are more logs that can be started (and stopped). Specifically, the RADIUS process can log all authentication requests, along with a valid password or invalid password. To do this, type the following in terminal from the server:
$ sudo radiusconfig -setconfig log_auth yes
$ sudo radiusconfig -setconfig log_auth_goodpass yes
$ sudo radiusconfig -setconfig log_auth_badpass yes
[robg adds: I haven't tested this one, not having a Server machine.]
    •    
  • Currently 2.42 / 5
  You rated: 2 / 5 (12 votes cast)
 
[51,066 views]  

10.5: Enable full RADIUS support on OS X Server | 10 comments | Create New Account
Click here to return to the '10.5: Enable full RADIUS support on OS X Server' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Enable full RADIUS support on OS X Server
Authored by: ncudmore on Apr 18, '08 09:22:56AM

I've been testing this on OS X server 10.5.2...

You'll also need to update the clients.conf file - also found in /etc/raddb .

This stores the configuration of machines/devices that can access the radius server, otherwise you'll get errors such as

<date> : Error: Ignoring request from unknown client 192.168.1.111:1165

There are a few examples in there single client, network etc. so you can just edit the text file and customize it, before restarting the service.



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: nick.welsh on Jun 11, '08 04:17:47AM

Thanks for this info, 1 question how do I start the RADIUS service if I don't have an Airport Base station, can not finish configration GUI with out basestation

Nick W



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: kainewynd2 on Jun 11, '08 11:54:30AM

You're overthinking it...

Just don't use the Configuration Tool - click start instead.

This works on an Advanced setup anyway.



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: RmACK on Oct 28, '08 10:55:00PM
Same here, but I FOUND A SOLUTION!!!! Have spent hours searching the net but finally poked around and found the bit of server admin that is that wizard. I will give the path but obviously you have to go "show package contents" several times if you do this through finder.
 Applications/Server/Server Admin.app/Contents/Resources/RoleBasedSetup.bundle/Contents/Plugins/RadiusPlugin/Contents/Resources/RadiusSteps.plist 
Double click on the plist and uncheck the enabled value for Item 6 which has identifier string Radius.AddBaseStations Hit save. Launch server admin. Now the RADIUS configure wizard will SKIP that nasty step where you have to have an airport to select from the list. Wow.

[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: kainewynd2 on Jun 11, '08 11:55:40AM

Oh, you might be able to get away with: serveradmin start vpn



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: TvE on Sep 04, '08 11:19:42AM

Hmm - I am easily able to authenticate to my OD without the change mentioned in this hintů



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: mcnaugha on Jun 02, '09 05:43:39AM

If you set the RADIUS certificate correctly (it defaults to test certificates which cannot be used) and then use the "Add..." button to add in third-party APs then you can start the service. The service will not start while the certificates are at the test ones because a 'dh' file is missing. The GUI shows "Custom Configuration..." when its set to the test certificates.

When using the "Add..." button you need to specify an AP type. These are defined and you must use the relevant one of the following: cisco, computone, livingston, max40xx, multitech, netserver, pathras, patton, portslave, tc, usrhiper, other. I was testing with Linksys AP's and they worked with the 'cisco' type.

I didn't test this without changing the authent bit to opendirectory. So I can't confirm that it works without changing this. So I don't know if TvE is referring to this when using third-party APs. If TvE is just using AirPorts then the point of this hint has been missed.



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: jpwatson on Jul 20, '09 04:25:00PM
Labeling the AP type made a huge difference. I'm using a D-Link DAP-2553 and put in "dlink" which worked fine.

Also, if you're having issues with Windows boxes, check out this thread, specifically the post by vette4:

http://discussions.apple.com/thread.jspa?messageID=7861437



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: tkrauter on Sep 09, '09 07:41:23AM

We have been using RADUS/Open Directory for our wireless for about a year. We have an Enterasys wireless controller with 20 access points and about 100 wireless users at a time and 1000 user in open directory. The enterasys controller handles all the authentication, so the only address we have in the "Base Station" configuration is the address of the controller. We do not specify a "Type" at all.

It was fairly simple to generate a self-signed certificate using the Server Admin tool, then select the certificate in the settings tab of RADIUS. We have had some minor issues and made some little tweaks to the config file to accommodate more user, but everything worked from the beginning.

All things mentioned in the article were already configured on our server. Maybe it was the sequence in which services were installed/started that made a difference.



[ Reply to This | # ]
10.5: Enable full RADIUS support on OS X Server
Authored by: chripa on Jun 07, '10 09:49:49AM

I've followed the instructions above and everything worked fine; also in the Server Admin application RADIUS indicated being running by the green dot.

BUT after installing the 10.5.8 Server Update, nothing works anymore :(I took a look at the altered file, but everything I've changed was the same...

I've tried out the Terminal-Command "radiusd -X", and there are a lot of errors about an "SQL Module". I'm really confused!

Does ANYBODY know a solution for this error?

Thanks in advance and best regards,
Chris



[ Reply to This | # ]