Something is wrong.
Instagram token error.

Using Mac OS X Server RADIUS for Cisco AAA

Posted: October 4th, 2009 | Author: | Filed under: Mac OS X Server | 2 Comments »

Has this ever happened to you? You’re sitting there, minding your own business when then man comes down on you and says; “we need a VPN solution that ties into our directory system, and don’t even think about giving me anything less than proprietary!” Damn! I hate it when that happens. So I’m looking around and think, I know Cisco’s a big PITA proprietary company, I’ll use one of their solutions.

The hardware’s installed, everything in the test accounts is working, now all that’s left to do is tie it into the directory service. Uh oh… it appears as though Apple has made their RADIUS implementation as useless as an ice cube in hell. Fear not, for we can finish what Apple has done half-assed. We’re going to extend the built-in RADIUS service so that it can do OD user based authentication and plug right into Cisco’s AAA.

First, you need to know that if you do not have a standard SSL certificate assigned to your mac yet as a default or if you’ve disabled the built-in one you’ll need to disable a module. Navigate to /etc/raddb/ and open the file labelled radiusd.conf Comment out all lines beginning with eap

Next, open users and change

DEFAULT Auth-Type = System
Fall-Through = 1

To look like:

DEFAULT Auth-Type = opendirectory
Fall-Through = 1

Save and exit and then fire up radiusd on the command line in debug mode so you can see if any errors arise.

radiusd -X

If you get something like:

Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.

Then you’re good to go! Note that your ports my be different than the ones listed here. You can change the ports radius listens on in /etc/services

Now open clients.conf and enter your configuration details for the device you’re setting up. (IP,name,sharedsecret) SSH into your Cisco box and enter the following:


conf t
(configure the terminal)
radius-server host auth-port 1645 acct-port 1646
(make sure you use the right port numbers here)
radius-server key
aaa new-model
aaa authentication login vpn group radius


You need to understand at this point that the above code is only for vpn logins, and that you’ll need to understand how aaa works in order to plug this into your particular setup. For example to plug this authentication into your crypto module and the
was vpn you could use:

crypto map VPN client authentication list vpn
crypto map VPN isakmp authorization list vpn

Or if you wanted to use RADIUS for SSH access to your Cisco box you could use a
of default such as:

aaa authentication login default group radius local

This will allow AAA to check the RADIUS server, but fall back to local auth if RADIUS does not respond.

Finally we’re going to test all of this by using the test command. So get out of conf t by typing exit and try the following:

test aaa group radius username password legacy

If it returns “User was successfully authenticated.” You’re in business.

Happy hunting.


2 Comments on “Using Mac OS X Server RADIUS for Cisco AAA”

  1. 1 chris said at 9:33 am on June 7th, 2010:

    Thank you for this great tutorial, it used to work really fine!

    BUT after installing the 10.5.8 Server Update and running “radiusd -X”, I get many errors about the SQL module. (It’s a really long error list)

    Does ANYBODY know, why this error happens after the System Update?

    Regards,
    Chris

  2. 2 jordan said at 8:55 am on June 8th, 2010:

    Chris,

    Can you send me your error output. The problem is too vague without it.

    Jordan


Leave a Reply