Blog

Mac OS X Server builds on well-known and powerful unix tools, tools which are at your full disposal if you understand how they work.  One of these is the FreeRADIUS server included with 10.5 and 10.6 Server.

As is typical of Mac OS X Server, Server Admin makes it easy to add Apple base stations to authenticate against Open Directory using RADIUS.  But what if you want to use the RADIUS server for other devices?  Most decent managed switches and routers can authenticate to RADIUS.  Wouldn’t it be great to have them authenticate against Open Directory?  Read on.

First, what is RADIUS and why do I need it?

RADIUS stands for Remote Authentication Dial-In User Service.  It is a well-known and heavily-used protocol, most often associated with managed switches, routers, modem pools, and other network devices.  On embedded systems like these, RADIUS is almost always available as a centralized authentication option.  RADIUS provides three important components to your network:  Authentication, Authorization, and Accounting.

WPA/WPA2 pre-shared keys (PSK) are often used for AirPort base stations and other wireless devices.  Everyone uses the same PSK, usually saved in Network Preferences for convenience.  PSKs are considered secure transport, but do not scale well in a large organization.  If an employee is fired or a laptop is stolen, the PSK has to be changed and everyone in the organization has to be made aware of it.  This quickly becomes a problem with more than a few people.  With RADIUS, the employee’s access is instantly disabled when the account is deactivated in Open Directory, or the employee can change her password if her laptop is stolen.  Much easier!

Centralized authentication and authorization also allows for accounting.  You can see where your employees are accessing your network and when they did it.  Industry compliance requirements often dictate you need to be in control of this information.

So how do I get my devices talking to my RADIUS server?

Mac OS X Server comes with a full install of the FreeRADIUS server, a highly configurable and complex server involving a number of config files in /etc/raddb.  When you add a new base station in Server Admin, the data is stored in an SQLite database at /etc/raddb/sqlite_radius_client_database.  However, you don’t have to insert devices into this database to have RADIUS acknowledge them.  By modifying the file /etc/raddb/clients.conf, you can add additional devices to authenticate.

Here I have added some security appliances sitting at 10.10.3.1 and 10.11.80.1 to clients.conf:

client 10.10.3.1 {
   secret        = k34nu3jsogls
   shortname       = parisgw
}

client 10.11.80.1 {
   secret          = 928jv2lkss0df
   shortname       = tokyogw
}

On the security devices I simply add the IP address of the RADIUS server as an auth mechanism, include the shared secret I’ve designated in my clients.conf file, make sure it is connecting to port 1812, and ensure I have a clear path through firewalls to the RADIUS server on this port.  After restarting the RADIUS service on Mac OS X Server, the client will be authenticating to Open Directory.  Great!

But what if I want to limit certain groups to certain devices?  Server Admin only lets you limit a certain group to all basestations in the list.  This is a major limitation.  Perhaps we don’t want our Paris users to be able to use the Tokyo service.  Or perhaps only IT administrators should be able to access the admin areas on switches.  By adding some entries to the huntgroups file, you can solve this problem:

paris   NAS-IP-Address == 10.10.3.1
           Group = france_users,

tokyo   NAS-IP-Address == 10.11.80.1
            Group = japan_users,

switch01928    NAS-IP-Address == 10.11.20.3
              Group = net_admin,

Where france_users, japan_users, and net_admin are OD groups with the members you wish to access the access point.

This is only the tip of the iceberg with FreeRADIUS configuration.  Apple has made a big step towards making it accessible to non-propeller-heads.  But with a little extra legwork, you can make the service much more valuable and flexible to your organization.  Happy authenticating!