Restrict RADIUS usage in Server 5.x

Posted: February 29th, 2016 | Author: | Filed under: Uncategorized | No Comments »

2000px-Circle-withsegments.svgThis is a follow up post to my previous article about how to setup RADIUS on Server 5.x

In my Open Directory user list I have a user called scanner with a password of, you guessed it, scanner. Now I know this isn’t the most secure thing ever but the user only has very limited access. Recently I wanted to implement RADIUS so that the VPN concentrator could authenticate against Open Directory but I certainly don’t want the scanner user to be able to authenticate. Previously I would fire up WorkGroup Manager and build a service access control list, SACL. However with WGM now gone I have to do it on the command line. After some hacking I figured it out.

First, you’ll need to make a group in OD called VPN and put the users you would like to have VPN access in it. Then whip open a terminal and get the GUID of that group.

dscl localhost read /LDAPv3/

You’re looking for the “GeneratedUID” record this somewhere. Next edit the following script and put your GeneratedUID into the line where it says NestedGroups

dscl localhost create /Local/Default/Groups/
dscl localhost create /Local/Default/Groups/ RealName
dscl localhost create /Local/Default/Groups/ passwd "*"
dscl localhost create /Local/Default/Groups/ gid 260
dscl localhost create /Local/Default/Groups/ NestedGroups PASTE_GUID_HERE

Then reboot radius with a serveradmin stop/start radius and you should be good to go!

Leave a Reply