Posted: April 7th, 2013 | Author: jordan | Filed under: Uncategorized | No Comments »
Great article on Apple’s support page outlining how to migrate the wiki service from 10.7 Lion Server to 10.8 Mountain Lion Server, aka OSX Server 2.2
http://support.apple.com/kb/HT5697
Posted: April 1st, 2013 | Author: jordan | Filed under: Mac OS X, Mac OS X Server, RADIUS, UPS | No Comments »
This is a follow up to my previous post on Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion
To get the APC talking with our OS X box we need to first allow the APC to communicate with RADIUS over IP. On your Mac OS X server with RADIUS run the following command.
radiusconfig -addclient <APC-IP> <short-name> other
You’ll be asked to input a key, you’ll need this later on. You can man this command to get more details
Then add the following APC attributes and values to the RADIUS dictionary /etc/raddb/dictionary
VENDOR APC 318
BEGIN-VENDOR APC
ATTRIBUTE APC-Service-Type 1 integer
ATTRIBUTE APC-Outlets 2 string
ATTRIBUTE APC-Perms 3 string
ATTRIBUTE APC-Username 4 string
ATTRIBUTE APC-Contact 5 string
ATTRIBUTE APC-ACCPX-Doors 6 string
ATTRIBUTE APC-ACCPX-Status 7 string
ATTRIBUTE APC-ACCPX-Access1 8 string
ATTRIBUTE APC-ACCPX-Access2 9 string
ATTRIBUTE APC-ACCPX-Access3 10 string
ATTRIBUTE APC-ACCPX-Access4 11 string
ATTRIBUTE APC-ACCPX-Access5 12 string
ATTRIBUTE APC-ACCPX-Access6 13 string
ATTRIBUTE APC-ACCPX-Access7 14 string
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
VALUE APC-Service-Type Outlet 4
VALUE APC-Service-Type Card 5
END-VENDOR APC
By default, RADIUS will authenticate APC users as ReadOnly, however I want a particular user to have administrative access. To do this we’ll need to configure RADIUS to send the admin access value back to the APC for the user we specify. We do the following if our RADIUS server is running on an OD master or replica.
/etc/raddb/users
<username> Auth-Type = opendirectory
APC-Service-Type = Admin
Please note that you’ll need a tab indentation before APC-Service-Type
If the RADIUS server is running on an OD client then:
/etc/raddb/users
<username> Auth-Type = System
APC-Service-Type = Admin
And now edit /etc/raddb/sites-enabled/default
and around line 309, in the Authenticate stanza change the line marked unix
to:
#unix
Auth-Type unix {
opendirectory
}
Now restart the RADIUS daemon and login to your APC, under Security, Remote-Users, RADIUS you’ll find the place to enter your OS X Server IP, the key we made earlier, and to test the authentication. Make sure this passes before proceeding and that your user you configured earlier authenticates as Administrator.
If you got to this point and the APC is saying it cannot contact RADIUS make sure the RADIUS daemon isn’t crashing on your server. Check out tail -f /var/log/radius/radius.log
to see what’s going on.
The final step is click on Authenticate in the APC UI and set it to RADIUS, then Local Authentication