Restrict RADIUS usage in Server 5.x

This is a follow up post to my previous article about how to setup RADIUS on Server 5.x

In my Open Directory user list I have a user called scanner with a password of, you guessed it, scanner. Now I know this isn’t the most secure thing ever but the user only has very limited access. Recently I wanted to implement RADIUS so that the VPN concentrator could authenticate against Open Directory but I certainly don’t want the scanner user to be able to authenticate. Previously I would fire up WorkGroup Manager and build a service access control list, SACL. However with WGM now gone I have to do it on the command line. After some hacking I figured it out.

First, you’ll need to make a group in OD called VPN and put the users you would like to have VPN access in it. Then whip open a terminal and get the GUID of that group.

dscl localhost read /LDAPv3/127.0.0.1/Groups/VPN

You’re looking for the “GeneratedUID” record this somewhere. Next edit the following script and put your GeneratedUID into the line where it says NestedGroups


dscl localhost create /Local/Default/Groups/com.apple.access_radius
dscl localhost create /Local/Default/Groups/com.apple.access_radius RealName com.apple.access_radius
dscl localhost create /Local/Default/Groups/com.apple.access_radius passwd "*"
dscl localhost create /Local/Default/Groups/com.apple.access_radius gid 260
dscl localhost create /Local/Default/Groups/com.apple.access_radius NestedGroups PASTE_GUID_HERE


Then reboot radius with a serveradmin stop/start radius and you should be good to go!