10.5: Enable full RADIUS support on OS X Server

Dec 13, '07 07:30:02AM

Contributed by: Anonymous

OS X 10.5 Server comes with a Radius server, but at the surface, it seems that Apple only ships with support for wireless access stations. However, the foundation is a fully working FreeRadius server.

When trying to get the Radius server to work together with our Checkpoint firewall for VPN authentication, I found that the Radius server tries to authenticate the users against the /etc/passwd file. However, for authorization, it correctly queries the OpenDirectory. I opened a support call with Apple, and I eventually received the following instructions to change the behavior.

Read on to see the response I received from Apple...

Here's what Apple told me...(robg adds: I have trimmed the email from Apple, and edited it a bit for easier reading, but I didn't modify any of the actual instructions):

Apple included RADIUS services in Leopard server to Apply support for our own Access points, (Airport Express and Extreme), Apple may continue work to implement further functions and support, but at this stage, RADIUS in Leopard Services configures AirPort Base Stations. But as you pointed out under the hood, Leopards RADIUS Service is really 'freeRADIUS.'

Regarding this error:

Tue Nov 20 15:02:19 2007 : Auth: rlm_opendirectory: User <****> is authorized.
Tue Nov 20 15:02:19 2007 : Auth: rlm_unix: [****]: invalid password
By default, the RADIUS process doesn't know how to deal with the request when it comes in, so the request falls through to the default authentication type of a Unix password file (System). In other words, it doesn't know to look in OpenDirectory for the MAC Address. To correct this, you need to change one line in /etc/raddb/users. At about line 153, you'll see this:
DEFAULT    Auth-Type = System
    Fall-Through = 1
Change this to:
DEFAULT	Auth-Type = opendirectory
    Fall-Through = 1
After making this change, you'll have to restart the RADIUS process, this should solve your issue. Furthermore, the logging pane may not show all information that is needed to troubleshoot RADIUS issues. But as the service is based on freeRADIUS, there are more logs that can be started (and stopped). Specifically, the RADIUS process can log all authentication requests, along with a valid password or invalid password. To do this, type the following in terminal from the server:
$ sudo radiusconfig -setconfig log_auth yes
$ sudo radiusconfig -setconfig log_auth_goodpass yes
$ sudo radiusconfig -setconfig log_auth_badpass yes
[robg adds: I haven't tested this one, not having a Server machine.]

Comments (10)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20071130134610850