OS X Server + AirPort by using RADIUS certification (English version)

Recently I doing searching about how to using RADIUS service in OS X Server and Airport. In OS X Server manual it said that OS X Server can manage AirPort by using RADIUS, and enable enterprise wi-fi encryption.


So first, we need Mac OS X with installed OS X Server, and of course an AirPort Router.

Sec. OS X Server’s accessing of server must set to “Local Network” or “Local Network and VPN”. These settings can change in “Host Name” in Overview of Server.app. Notice you can’t set the accessing of server to “Internet”, because it will cause Open Directory services can’t enable.

3rd. Enable The Open Directory service.

4th. Set the Router Mode of AirPort to “DHCP and NAT”, if you already have a network with DHCP service before Airport, set different network segment such as start form 192.168.2.1 in Network Options of AirPort. If AirPort Utility said there is an error about Double NAT, just select Ignore.
You must enable DHCP and NAT. Than OS X Server could manage AirPort.

5th. AirPort must disable Default Host function in Network Options. If enable, Server will not get any RADIUS connection form AirPort.

If you finish all of this, you should see the AirPort show in Server.app’s sidebar:
Screen Shot 2015-09-16 at 02.50.48

Select it, will ask Airport’s admin password. Then you should able to manage AirPort by using OS X Server.
Screen Shot 2015-09-16 at 03.18.28

Enable “Require user name and password login over Wi-Fi”, and reboot your AirPort, now the RADIUS service should start running. And AirPort should configure to use enterprise Wi-Fi and set to using OS X Server as RADIUS certification server automatically.
But wired thing is you can’t login by using your username and password of your server’s admin account. The reason is OS X Server RADIUS’s part is incomplete. There still a lot of things that OS X Server not done. So there is an application in Mac AppStore can help. But if you don’t want to spend money, you have to finish it manually.

So here is how I done it.
According to those method I found in internet was not helpful:

Configuring basic RADIUS on OS X 10.8 Server

OS X Mavericks Server – Setting Up FreeRADIUS


They are different with the latest system (10.10.5). But still can refer to.

Now open terminal. login as root (use sudo -s).
First is create a group:
dseditgroup -q -o create -u -n . com.apple.access_radius

Then setting radiusconfig:
radiusconfig -setconfig auth yes
radiusconfig -setconfig auth_badpass yes
radiusconfig -setconfig auth_goodpass yes

Create certificate file, I’m use Keychain Access to create a Self-signed certificate file, but actually it’s OK with any certificate files. When you enable the setting of start using RADIUS service to manage Wi-Fi in Server.app, OS X Server will set the correct certificate file automatically. So actually user shouldn’t set this manually.
You can check whether cert files load correctly by using
radiusconfig -getconfig
and
radiusconfig -getconfigxml
command. If everything normal, you should see there are some .pem as end of path in settings.
If it’s not, you should make cert files manually. Reference link already said how to create cert files. But notice about the path, isn’t /etc/raddb/certs/ but it’s /Library/Server/radius/raddb/certs/.
Another notice is about when execute radiusconfig -installcerts command. It may return a warning:
command: /usr/bin/openssl rand -out **** 1024. And it may cause cert files path are empty in config of radius. So you have to write the CA_file, certufucate_file and private_key_file’s path to radius config by using radiusconfig -setconfig.

And then, it’s the add client.
In radiusconfig’s manual, it said that -addcliect . But actually nas-name is IP address of Router, and short-name is Router’s show name. And short-name must all lowercase. Such as:
radiusconfig -addclient 192.168.2.1 airport
after execute that, it will ask a secret, default is testing123. You can change yours. My suggestion is set both secret of this command and AirPort’s Secondary RADIUS Server’s as same. Keep AirPort’s Primary RADIUS settings as default. Just in case.

Run radiusconfig -naslist should see what you added.
Now, restart the RADIUS services:
radiusconfig -stop
radiusconfig -start

In theory now wifi should be worked.

If still goes wrong. Try stop the service by using radiusconfig -stop, and run RADIUS service as debug mode in:
radiusd -X
If configure is correct, it will show “Ready to process requests” at the end of line.
Then open a new terminal window, run radtest to test connect to local RADIUS services inside server.
radtest -x 127.0.0.1 1812 testing123
If everything correct, you can see both radtest and RADIUS’s debug windows have reaction. And verify success only in once.
If radtest failed to communicate 3 times. Check RADIUS service port is enabled, and firewall.

If it show something like:
Ignoring request to authentication address * port 1812 from unknown client 192.168.2.1 port 65307
Please check IP address and device name are reversed when you addclient. And the device’s name is all lowercase.

If radtest is passed, but failed on AirPort. Check your settings in AirPort. Make sure IP address of RADIUS is correct, and default host (DMZ) is disabled. And the secret key of RADIUS.

Finally everything works. When you try to connect wifi using Mac or iOS, it will ask to login using your username and password in your server’s user. Then request to install a certification file. And…..now you are connected by using enterprise encryption.

You can now use OS X Server to manage port forward, DHCP and DNS service if you like. And the good thing is change these setting in OS X Server to manage AirPort will not need to reboot AirPort anymore. But the bad thing is IPv6 will not work any more. Because OS X Server not support DHCPv6 and DNS6 yet….and even disable in OS X Server, it still not work in AirPort. Should be a bug of AirPort firmware.

 

 

Leave a comment if you have any problem.

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です

*

:b1 :b2 :b3 :b4 :b5 :b6 more »

Note: Commenter is allowed to use '@User+blank' to automatically notify your reply to other commenter. e.g, if ABC is one of commenter of this post, then write '@ABC '(exclude ') will automatically send your comment to ABC. Using '@all ' to notify all previous commenters. Be sure that the value of User should exactly match with commenter's name (case sensitive).