How to use RADIUS with macOS Server

airportauthenticationNetworkosx-serverwifi

We have a Mac Mini Server (macOS 10.12) with Server App (5.2) configured (Open Directory and DNS Server Services active, the network is on static IP). We used to have one Airport Extreme configured from the Server App, with Server providing RADIUS authentication.

Now we would like to add other Airport Extreme basestations to the network in order to extend its range. We were already able to add another RADIUS client via Admin Tool Radius.

I would like to know what kind of RADIUS support does Server App provide?
Since adding a second Airport basestation does not work, I guess I will have to configure a RADIUS server outside of Server App, probably following this video: https://vimeo.com/53774350?
What happens to the Server App's Airport Basestation configuration I had active for the first Basestation? Can I still configure Services and mapping from Server App?
Should I just keep the Basestation activated in Server App, but deactivate the authentication requirement over WiFi and configure a separate RADIUS server?
How about certificates: Server App already has a global certificate, can i use this instead of building a new one?
Will the access group (which is mentioned in the video) be visible in Server App?

Hopefully someone can help.

When I "sudo radiusconfig -getconfig" I get:

{
    clientcount = 2;
    configured = 1;
    "eap.conf" =     {
        "CA_file" = "/etc/certificates/server.yyyy.zz.xxxxxxxxxx.chain.pem";
        cadir = "/Library/Server/radius/raddb/certs";
        certdir = "/Library/Server/radius/raddb/certs";
        "certificate_file" = "/etc/certificates/server.yyyy.zz.xxxxxxxxxx.cert.pem";
        "check_cert_cn" = "%{User-Name}";
        "check_crl" = no;
        "dh_file" = "/Library/Server/radius/raddb/certs/dh";
        "fragment_size" = 1024;
        "include_length" = yes;
        "private_key_file" = "/etc/certificates/server.yyyy.zz.xxxxxxxxxx.key.pem";
        "private_key_password" = "Apple:UseCertAdmin";
        "random_file" = "/Library/Server/radius/raddb/certs/random";
    };
    "radiusd.conf" =     {
        auth = no;
        "auth_badpass" = no;
        "auth_goodpass" = no;
        "cleanup_delay" = 5;
        confdir = "/Library/Server/radius/raddb";
        "exec_prefix" = "/Applications/Server.app/Contents/ServerRoot/usr";
        "hostname_lookups" = no;
        localstatedir = "/private/var";
        logdir = "/private/var/log/radius";
        "max_request_time" = 30;
        "max_requests" = 1024;
        prefix = "/Applications/Server.app/Contents/ServerRoot/usr";
        radacctdir = "/private/var/log/radius/radacct";
        raddbdir = "/Library/Server/radius/raddb";
        sbindir = "/Applications/Server.app/Contents/ServerRoot/usr/sbin";
        sysconfdir = "/Library/Server/radius";
    };
}

When I "sudo radiusconfig -naslist" I get

sudo radiusconfig -naslist
client IP.xxx.xxx.xxx {
  secret = YYYYYYYYYY
  shortname = "Base Station 1"
  community =
  type = "AirPort Base Station"
  description =
};
client IP.xxx.xxx.xxx {
  secret = ZZZZZZZZZZ
  shortname = "Base Station 2"
  community =
  type = "Airport Base Station"
  description =
};

Best Answer

After some work I got it working. I went through all the steps in the video minus access group. I guess my problem was related with capturing the new basestation, after going over the setup of the second Basestation and rebooting everything works now! I corrected also some certification related problems. I used the excellent Admin Tool Radius to set alt up correctly, an incorrect setting might have been the cause of my troubles!

1) I would like to know what kind of RADIUS support does Server App provide?

It appears to provide full support.

2) Since adding a second Airport basestation does not work, I guess I will have to configure a RADIUS server outside of Server App, probably following this video: https://vimeo.com/53774350?

Still excellent tutorial, slightly outdated in macOS Sierra.

3) What happens to the Server App's Airport Basestation configuration I had active for the first Basestation? Can I still configure Services and mapping from Server App?

It works in our case

4) Should I just keep the Basestation activated in Server App, but deactivate the authentication requirement over WiFi and configure a separate RADIUS server?

It works in our case. No need to set up the Radiusserver again. My incomplete Radius Server was probably a certification related problem.

5) How about certificates: Server App already has a global certificate, can i use this instead of building a new one?

Radius will use the certificate used in the Server App. I used the excellent Admin Tool Radius to set it up.

6) Will the access group (which is mentioned in the video) be visible in Server App?

If you choose "show system accounts" under Server>View then it should show up. But there is no need to set an access group, since RADIUS will use Opendirectory.

So everything is working now. As I said I just went over the single steps again, the problem I had was probably related to the Certificate or a mistake in the Client setup.

Now I just have to figure out how to get the RADIUS logs into Console, since they do not appear there in macOS Sierra!

Best Answer

Related Solutions

MacOS – How to use VPN with OS X Server

Using OSX server in conjunction with Windows server

Related Question