RADIUS Setup for OS X El Capitan – Server 5.x

Quite simple to setup. First paste in the following commands.

radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes

Now install an SSL cert/key pair for your host, the built in ones are found in /etc/certificates or you followed my previous article about becoming a certificate authority and you have the certs on hand.

radiusconfig -installcerts /path/to/key /path/to/cert


Now… if you didn’t make your own CA and you’re using the built in Apple Server certs then you’ll have to do some extra magicary. First use pull an ls /etc/certificates and not the key, cert, and chain files for your host.


radiusconfig -installcerts /path/to/key.pem /path/to/cert.pem /path/to/chain.pem
radiusconfig -setcertpassword
Apple:UseCertAdmin


The last line is the ‘magic’ that I spoke of earlier.

Finally add some clients

radiusconfig -addclient other

Then start the radius server

serveradmin start radius


When I did this recently I didn’t have a way to test the server so I installed the FreeRadius server via brew.

brew install freeradius-server

And then tested the server by using radtest The binary can be found in the following directory /usr/local/Cellar/freeradius-server/3.0.9/bin

The syntax of the command is as follows:

radtest username password radius-server[:port] nas-port-number secret

Here’s an example:

radtest username password 192.168.1.1 10 secret


An Access-Accept is a passing grade!

Authenticate APC Smart-UPS against RADIUS on Mac OS X Server 10.8 Mountain Lion

This is a follow up to my previous post on Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion

To get the APC talking with our OS X box we need to first allow the APC to communicate with RADIUS over IP. On your Mac OS X server with RADIUS run the following command.

radiusconfig -addclient <APC-IP> <short-name> other

You’ll be asked to input a key, you’ll need this later on. You can man this command to get more details

Then add the following APC attributes and values to the RADIUS dictionary /etc/raddb/dictionary

VENDOR APC 318

END-VENDOR APC


By default, RADIUS will authenticate APC users as ReadOnly, however I want a particular user to have administrative access. To do this we’ll need to configure RADIUS to send the admin access value back to the APC for the user we specify. We do the following if our RADIUS server is running on an OD master or replica.

/etc/raddb/users

<username> Auth-Type = opendirectory
    APC-Service-Type = Admin


Please note that you’ll need a tab indentation before APC-Service-Type

If the RADIUS server is running on an OD client then:

/etc/raddb/users

<username> Auth-Type = System
    APC-Service-Type = Admin


And now edit /etc/raddb/sites-enabled/default and around line 309, in the Authenticate stanza change the line marked unix to:

#unix
Auth-Type unix {
opendirectory
}


Now restart the RADIUS daemon and login to your APC, under Security, Remote-Users, RADIUS you’ll find the place to enter your OS X Server IP, the key we made earlier, and to test the authentication. Make sure this passes before proceeding and that your user you configured earlier authenticates as Administrator.

If you got to this point and the APC is saying it cannot contact RADIUS make sure the RADIUS daemon isn’t crashing on your server. Check out tail -f /var/log/radius/radius.log to see what’s going on.

The final step is click on Authenticate in the APC UI and set it to RADIUS, then Local Authentication

Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion

So you’re using Mountain Lion Server for Open Directory. Good for you! But beware of your users, they have requested VPN access to the network and like any good sysadmin you think, “Jesus H Christ, here’s yet another credential combo for the user to forget, for the user to call me at 10pm Friday night asking: ummmmmm, what’s my password?” FOR WHAT?!?! Jeezus Christ why don’t they ever tell us which password they forgot? Anywho, I digressed. Well with the power of RADIUS on your trusty Mac OS X Server you can now defer the authentication of your Cisco VPN gateway to your directory system. Let’s setup RADIUS on Mac OS X Server.

Prep the directory

Either you Mac an OD Master or bind to a directory, I think this is a given but, just saying. Then, whatever directory system you’re using, you must create a group called “VPN Access” or something to that effect, and subscribe the users and/or groups you want to have access to VPN. I don’t care if this is in Active Directory or Workgroup Manager or Server.app.

Build the RADIUS service

ARD into your Mac OS X server. In Server.app navigate to your hardware and then Settings. Note which SSL certificate your server is currently using and then find that certificate in Keychain Access. Right below it will be the key, right click on the key and choose Export, the destination will be /Users/Shared/cert.p12 and the password can be blank.

Open Workgroup Manager and edit local directory, authenticate yourself so you have read/write privileges. From the view menu enable Show System Records, then click on the groups tab, sort by GID. Scroll down to the 200’s and look for records like “com.apple.ard_access” “com.apple.afp_access” find the last of these groups and note the GID. Now create a new group, the long name is blank, the short name is “com.apple.access_radius” and the GID is incremented by 1 from the last GID you noted earlier. Save changes. GID  2xx

Once created click on the members tab and then “+” symbol. A side pane will appear, in this pane you can choose any directory system the OS X box is bound to, active or open. Cool hey?  Add “VPN Access” group. Save the changes.

Open a terminal and “sudo -s” up. As the root user paste in the following:
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass no
radiusconfig -autorotatelog on -n 15


Now, run these one at a time, when prompted for password, enter the password that you set when you exported the cert from Keychain, I told you to put no password but God knows that sysadmins rarely do what they’re told. 😉

paste one at a time:
WATCH THE LINE WRAP!

openssl pkcs12 -in /Users/Shared/cert.p12 -out /etc/raddb/certs/radius.key -nodes -nocerts
openssl pkcs12 -in /Users/Shared/cert.p12 -out /etc/raddb/certs/radius.crt -nodes -nokeys
radiusconfig -installcerts /etc/raddb/certs/radius.key /etc/raddb/certs/radius.crt


Finally for the server let’s grant access to our Cisco box, IP is obviously the IP of the box, short-name is just a nickname for the system.
radiusconfig -addclient <IP> <short-name> other

You should be prompted to enter a key, please remember this key, let’s call it: theKey.

finally run radius in verbose with radiusd -X Leave the terminal open, do not close. It will help us deduce answers should problems arise. If all goes well you should get something like:

Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.


Connect your Cisco VPN gateway

conf t
radius-server host <enter IP||FQDN> auth-port 1812 acct-port 1813
radius-server key <enter theKey>
aaa new-model
aaa authentication login vpn group radius local
aaa authorization network vpn local


You’ll need to connect this AAA stanza to your crypto map, my crypto map is called VPN. This is how I did it, note the bold similarities.

crypto map VPN client authentication list vpn
crypto map VPN isakmp authorization list vpn


This will allow AAA to check the RADIUS server, but fall back to local auth if RADIUS does not respond.

Finally we’re going to test all of this by using the test command. So get out of conf t by typing exit and try the following:

test aaa group radius <username> <password> legacy


If it returns “User was successfully authenticated.” You’re in business. Also, note the terminal where radiusd -X is running, you’ll see some interesting output.

Clean Up

wr mem on your router and exit the session. Cancel that radiusd -X process we started and set the process to run. serveradmin start radius Immediately test the connection from the outside to ensure it’s stable.

Check out my next post: Authenticate APC UPS against RADIUS on Mac OS X Server 10.8 Mountain Lion