Using the RADIUS Service
in OS X 10.5
Volume Number: 23 (2007)
Issue Number: 11
Column Tag: Networking
Using the RADIUS Service
in OS X 10.5
Aimed at Airports, but flexible under the hood
By Ben Greisler
Why RADIUS?
Controlling access to your wireless network has just become easier with the inclusion of RADIUS services in Leopard Server. Providing a central method for controlling user access to Airport access points (and other RADIUS capable devices), the Leopard implementation is Apple simple.
RADIUS Services in Leopard 10.5
Setting up RADIUS in Leopard server is very straightforward. You can either use the wizard or manually set it up manually. Normally I would say that using a wizard is the easy method, but in this case even the manual method is very simple to follow. Regardless of the method, you will end up with a working set up.
In my test environment I set up an Airport Extreme (round) and configured it to bridge. This has nothing to do with the RADIUS setup, but will be similar to how other will be using it. I had a working OD master on my network and I set up a group of users authorized to connect to the wireless network. I then bound my Leopard server to the OD and checked that I could recognize OD users from the Leopard machine. The RADIUS services can be set using SACL's (Service ACL's) making it very flexible from an authorization standpoint. Once that was set I was able to start the RADIUS configuration.
Fig. 1. Activating the RADIUS service in Server Admin
Wizard Method:
Open Server Admin and activate the RADIUS service in Settings/Services. This will make the RADIUS service available in the services list.
In the RADIUS service Overview pane, click the "Configure RADIUS Service..." button.
Fig. 2. RADIUS Service Overview pane
The first page lets you chose what certificate you want to use. You can pick an existing certificate or create a self signed certificate.
Fig. 3. Pick your certificate or make your own
With your Airports up and running, you should see them in the Add Base Stations page. Pick the ones you want to use RADIUS with and fill in the Airports administrative password, then click "Add." Once the base stations have populated the Selected Base Stations window, click "Continue."
Fig. 4. Select the Airports you want authorized via RADIUS
The next window allows you set up who will be authorized to connect to the wireless network. We had set up an Open Directory group named "radiususers" in this example and selected it.
Fig. 5. Pick your group to limit users or allow all users
In the next windows, much like the final steps of configuring an OSX Server, you are given the opportunity to do a final check of your RADIUS configuration.
Fig. 6. Check your settings and commit them
The final window simply announces the successful configuration of RADIUS services.
Fig. 7. Success! Start logging in!
Manual Method:
Open Server Admin and activate the RADIUS service in Settings/Services. This will make the RADIUS service available in the services list.
In the RADIUS service Settings pane, we need to configure our certificates. If you choose a custom configuration you will be presented with you choices of where the certificates reside and a quick link to the Certificate Management page.
Fig. 8. RADIUS settings page
Fig. 9. Certificate locations
Fig. 10. Certificate management
The RADIUS settings page has an "Edit Allowed Users..." button bringing you to the SACL's page where you can define which groups can be authorized.
Fig. 11. When defining an authorized group, you can use any method of building the groups for maximum utility such as nesting
Fig. 12. The Base Stations window gives you the tools to manage your access points
In the Base Stations window you can browse for Airports or add them manually.
When browsing for Airports, you simply pick the devices you want, type in the administrator password for the device and the RADIUS service does the rest. It will communicate with the Airport, define a random shared secret and restart the Airport.
Fig. 13. Browsing for Airports
Fig. 14. If we now look at the Aiport in the AirPort Utility we can see that the RADIUS configuration has been set for us
If we pick the "Add" button, we are able to directly configure an Airport. It won't be as easy, but it is necessary for Airports not visible while browsing. You will also need to manually configure the Airport in the AirPort Utility with the shared secret. You could also set up non-Airport devices using this method.
Fig. 15. Configuring the Airport manually
To ease the rollout to Mac clients, you can export an Internet Connect plist. Click on the "Save Internet Connect File" button.
Fig. 16. Exporting the Internet Connect file
Fig. 17. With everything else configured we can get our clients connecting
Fig. 18. The user experience when connecting to a RADIUS controlled Airport
Command Line:
RADIUS in Leopard is based on FreeRADIUS and is configurable via command line. Visit the man page for details:
leoserver:~ leoadmin$ man radiusd
Take particular note of the ordering of the radius.conf contents if you decide to modify it directly. A change of ordering can make the server not work any more. This is noted in the man page and is worth repeating.
If you want to examine the files that make RADIUS work, go to /etc/raddb. Logs live at /var/log/radius/radius.log.
Conclusion
RADIUS services in Leopard server is a great addition to the set of tool Apple has given us. While Apple's implementation is really aimed at Apple Airport users, it should also work with other devices.
Ben has been everything from a Mac user to CTO of one of the leading Macintosh professional services firms. Besides writing an occasional article for MacTech, you can find him presenting at Macworld (including a session called "DNS: Demystified, co-presented with Doug Hanley) or consulting with clients around the world. You can reach him at ben@greisler.org.
