I’d like to start by recognising the article and video from Jedda Wignall for the initial article about Mac OS X Server v10.8, and the follow up article by Charles Edge at Krypted.com for Mavericks v10.9
However I think I found enough differences in Yosemite to make it worthy of another write up, so here goes- much of this is copypasta from these previous articles, some little bits of extra explanation, and I’ll highlight the new bits.
First we need to create the group that has access to the service-
dseditgroup -o create -n . -u admin -r RADIUS com.apple.access_radius
Next, we add a client- in this case a client is an Wireless base station that will pass through the credentials of another device for acceptance. In my case I’ll be adding a Meraki MR18 and an Apple Airport Extreme. The ‘other’ is the client type, and Jedda says we can read marabout that in /etc/raddb but I didn’t bother, which could be a problem later…..
radiusconfig -addclient 172.16.1.2 mr18.servicemax.private other
You’ll then be prompted for the ‘shared secret’, write this down, add it to the command line and you should get back
172.16.1.2 added to the list
Next go to the Server.app, create a new self signed certificate with a memorable name and save it. When Keychain Access asks for permission select ‘always’. Open Keychain Access and find the new cert. Click the disclosure triangle and Shift click to select both parts of the certificate. Option click this selection and select ‘export 2 items’ and save to the desktop as the name ‘identity.p12’
Now we’re going to export those keys in a format that RADIUS can import
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /etc/raddb/certs/server.crt -nodes -nokeys
But this fails with
/etc/raddb/certs/server.key: No such file or directory
HERE’S THE NEW BIT
And sure enough, there is no etc/raddb/ folder, and also even if you create the folder structure, when you ls -ls into that folder you don’t get he expected output as shown in Jedda’s video. And the import finishes suspiciously fast. And it doesn’t work. It turns out that the whole RADIUS config has been moved to /Library/Server/radius/raddb/
So in fact we need to issue
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /Library/Server/radius/raddb/certs/server.key -nodes -nocerts
openssl pkcs12 -in ~/Desktop/Identity.p12 -out /Library/Server/radius/raddb/certs/server.crt -nodes -nokeys
And this does appear to work, we can check that these new certs do appear in the correct folder.
The next task is to install these certificates into RADIUS
radiusconfig -installcerts /Library/Server/radius/raddb/certs/server.key
radiusconfig -installcerts /Library/Server/radius/raddb/certs/server.crt
This does not work if you issue the commands one at a time as described in Krypted’s article. Has the syntax changed, or is Krypted’s syntax wrong?
Man says the syntax is radiusconfig -installcerts <private-key> <certificate> [<trusted-ca-list> [yes|no [common-name]]]
But what the hell does that mean?
Jedda says (updated for new location)-
radiusconfig -installcerts /Library/Server/radius/raddb/certs/server.key /Library/Server/radius/raddb/certs/server.crt
which does appear to work- but the problem here is that it does not seem to build the DH stuff as described in the video? Then we start RADIUS in debug mode by using
radiusd -X
and this fails with an SQL error- I had a whole lot of boring text here but suffice to say it did not work. So I posted the question to the MacEnterprise mailing list and a lovely French guy called Yoann Gini said ‘why don’t you use this GUI tool that I wrote for exactly this purpose……
So to say thank you I’m writing up some instructions for the app. It doesn’t need much!
Ladies & gentlemen, meet Admin Tool Radius, and the instructions are here
Update- it’s also possible that this post has the secret sauce, but I’m not going back now that I have a GUI tool…….