Authenticate APC Smart-UPS against RADIUS on Mac OS X Server 10.8 Mountain Lion

Posted: April 1st, 2013 | Author: | Filed under: Mac OS X, Mac OS X Server, RADIUS, UPS | No Comments »

800px-JGSDF_Type60_APCThis is a follow up to my previous post on Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion

To get the APC talking with our OS X box we need to first allow the APC to communicate with RADIUS over IP. On your Mac OS X server with RADIUS run the following command.

radiusconfig -addclient <APC-IP> <short-name> other

You’ll be asked to input a key, you’ll need this later on. You can man this command to get more details

Then add the following APC attributes and values to the RADIUS dictionary /etc/raddb/dictionary

VENDOR APC 318

BEGIN-VENDOR APC

ATTRIBUTE APC-Service-Type 1 integer
ATTRIBUTE APC-Outlets 2 string
ATTRIBUTE APC-Perms 3 string
ATTRIBUTE APC-Username 4 string
ATTRIBUTE APC-Contact 5 string
ATTRIBUTE APC-ACCPX-Doors 6 string
ATTRIBUTE APC-ACCPX-Status 7 string
ATTRIBUTE APC-ACCPX-Access1 8 string
ATTRIBUTE APC-ACCPX-Access2 9 string
ATTRIBUTE APC-ACCPX-Access3 10 string
ATTRIBUTE APC-ACCPX-Access4 11 string
ATTRIBUTE APC-ACCPX-Access5 12 string
ATTRIBUTE APC-ACCPX-Access6 13 string
ATTRIBUTE APC-ACCPX-Access7 14 string

VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
VALUE APC-Service-Type Outlet 4
VALUE APC-Service-Type Card 5

END-VENDOR APC

By default, RADIUS will authenticate APC users as ReadOnly, however I want a particular user to have administrative access. To do this we’ll need to configure RADIUS to send the admin access value back to the APC for the user we specify. We do the following if our RADIUS server is running on an OD master or replica.

/etc/raddb/users

<username> Auth-Type = opendirectory
    APC-Service-Type = Admin

Please note that you’ll need a tab indentation before APC-Service-Type

If the RADIUS server is running on an OD client then:

/etc/raddb/users

<username> Auth-Type = System
    APC-Service-Type = Admin

And now edit /etc/raddb/sites-enabled/default and around line 309, in the Authenticate stanza change the line marked unix to:

#unix
Auth-Type unix {
opendirectory
}

Now restart the RADIUS daemon and login to your APC, under Security, Remote-Users, RADIUS you’ll find the place to enter your OS X Server IP, the key we made earlier, and to test the authentication. Make sure this passes before proceeding and that your user you configured earlier authenticates as Administrator.

If you got to this point and the APC is saying it cannot contact RADIUS make sure the RADIUS daemon isn’t crashing on your server. Check out tail -f /var/log/radius/radius.log to see what’s going on.

The final step is click on Authenticate in the APC UI and set it to RADIUS, then Local Authentication



Leave a Reply

  • Current month ye@r day *