How do I setup RADIUS integration with Open Directory on 10.7/10.8?

  • 3
  • Question
  • Updated 4 years ago
  • Answered
  • (Edited)
I'm starting a set up for 802.1x for apple open directory (OS X Server (Mountain Lion). I'd like to authenticate users and assign vlans based on group membership. Does anyone have any advice or documentation that would be helpful? I'm running HMOL 6.0r2

Any help is appreciated!

Kurt
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like

Posted 5 years ago

  • 3
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Kurt,
Have you searched the online help for HiveManager for the phrase "open directory"? I'm on a tablet tonight so I cannot easily cut and paste for you, but I'm pretty sure you'll be able to find the section on setting up an external AAA server.
Photo of David Coleman

David Coleman, Official Rep

  • 209 Posts
  • 164 Reply Likes
We cannot setup Aerohive Devices as RADIUS servers to directly access Open Directory in Lion or Mountain Lion since Apple removed Samba. Aerohive access points functioning as RADIUS servers will work with Snow Leopard.

If you simply want Aerohive APs to function as authenicators to the RADIUS bulit into Mountain Lion.... we can do that and I have a configuration document that I can send you which was put together but one of our best system engineers, Sam Keys. Let me know if you want it.

David
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like
Hi David, I would like to have the document.

Thanks,

Kurt
kkidder@m-tsc.com
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like
Just to follow up, confirming Davids response. I'll need to setup an SSID for each category that I want to assign a vlan to. IE staff vlan and 802.1x to Apple OD for authentication. Student vlan and 802.1x toApple OD. etc.

So in this mannor I can still auth the staff and students via SSID set up for each. However, not to elegant of a solution. and could use any ssid if your in the OD.

Any other suggestions you might have would be appreciated.

Thanks,

Kurt
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Hi Kurt,

If you follow the guide, you can have a single SSID, and authenticate staff/students and place them in different VLANs or User profiles dynamically. Freeradius works just as if our Aps were joined to OD, which unfortunately is only supported by 10.6 and below.

Freeradius comes packaged in 10.7/10.8, the guide details how to configure it under the hood.

In 10.7+ apple removed Samba and wrote their own SMBX.

Cheers,
Sam
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like
Hi Sam,

What guide are you referring to?

Thanks

Kurt
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Hi Kurt,

Apologies about that, I presumed David sent it already based on the conversation above. I just sent the guide to your email.

If you have any questions, feel free to email me.

-Sam
Photo of Juha Lindström

Juha Lindström

  • 8 Posts
  • 0 Reply Likes
Could you send me the guide as well? My email's juha.lindstrom at gmail

Would be a really interesting guide to read..

//Juha
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Juha,

You've got mail.

-Sam
Photo of shoremedia

shoremedia

  • 22 Posts
  • 4 Reply Likes
+1, may I have a copy of the guide as well?
Thanks!
Photo of Dominique Glassey

Dominique Glassey

  • 2 Posts
  • 0 Reply Likes
Hi, can I have a copy of the guide please ?
Thanks
Dominique
dglassey@dgsolutions.ch
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Dominique & Shoremedia,

Here is a link where you can download the guide: https://docs.google.com/file/d/0B89wL...

-Sam
Photo of Dominique Glassey

Dominique Glassey

  • 2 Posts
  • 0 Reply Likes
Thank you :-)
Photo of Christopher Tawes

Christopher Tawes

  • 39 Posts
  • 4 Reply Likes
After following the instructions in your document, I run radiusd-X and get this error:

rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
rlm_eap_tls: Error loading randomness
rlm_eap: Failed to initialize type tls
/private/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/private/etc/raddb/sites-enabled/default[321]: Failed to load module "eap".
/private/etc/raddb/sites-enabled/default[256]: Errors parsing authenticate section.

any thoughts?
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
I found this too.

I ended up using the following link to help setup the 10.8 RADIUS server together with the AH doco. Found it alot easier for the importing of the certificates (using commands instead of editing conf files)

http://jedda.me/2012/11/configuring-b...
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Hi Chris,

Please send me the following files:
/private/etc/raddb/eap.conf
/private/etc/raddb/sites-enabled/default

chances are a space or \r or \n

Best,
Sam
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Sam,

I do have an issue though, where the sites-enabled/default section fails to match the group name and so the attributes are not being returned.

I have this in the post-auth section, but when a client connects the logging on the RADIUS says the group doesn't match (even though the user is definitely in the group).

if (Group == "Workgroup") {
update reply {
Tunnel-Private-Group-ID=2
Tunnel-Type=GRE
Tunnel-Medium-Type=IP
}
}
else {
update reply {
Tunnel-Private-Group-ID=3001
Tunnel-Type=GRE
Tunnel-Medium-Type=IP
}
}

I have tried several groups. The client does connect just not getting the return attributes.

Any ideas?

Cheers,
Aaron
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Hi Aaron,

Did you download Workgroup Manager and assign Primary GIDs?

The default server.app does not have the ability to modify Primary GIDs of users.

See Page 5 (OS X 10.8 Server User & Group Management)

Sam
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Sam,

I knew it was simple!

Is there anyway to match against a non-primary GID or it is only able to match against the primary GID?

Thanks,
Aaron
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Aaron,

From the testing I've done, I haven't found a way to do that. FreeRADIUS on OSX with OD seems to function differently than FR on *nix/bsd with LDAP or AD.

If you figure it out, let me know. :)

You could match against all default users with GID 20 in your else statement though...

Sam
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Thanks Sam,

When I get a chance i'll have a play. I was just using it as a test environment for testing some RADIUS accounting issues our clients are getting.

Our Aerohive clients use the RADIUS accounting to allow for single sign on to wireless+web filters, however we are seeing delays with the accounting packets. The framed-ip seems to take about 10secs to get to the web filter.
So when they go to surf the net they are not authenticated (until the framed-ip gets there). We are just not sure why there is a long delay.
This doesn't seem to be an issue with other wireless vendors we have tested this with though. Note sure if you can help though - probably should make it a new topic :)

Anyway thanks again for the doco on getting the RADIUS running on 10.8

Cheers,
Aaron
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Aaron -

I got it working based off group name. - Shoot me an email. I'll send you a list of changes to make. The core lib of OD (10.7+) no longer returns anything for Group-Name...

"Group-Name" isn't a real attribute... It queries the POSIX getgrnam API which is normally referenced in /etc/group, but can be replaced by nsswitch.

Once we confirm it works in your environment as well, I'll update the document... SoonTM

I should really make a shell script for this... :P

Sam
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
I just wanted to thank Sam for working with us to get Aerohive + OSX 10.8 Server OD integration where we are using non-primary groups to decide which user profile / VLAN to assign users.

Thanks,
Aaron
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
For those who are waiting until I update the document... here is what to change in order to match on group name:

####################
/etc/raddb/sites-enabled/default
####################
authorize {

ldap

}

####################
/etc/raddb/modules/ldap
####################
ldap {

server = "root.aerohive.com"
basedn = "dc=root,dc=aerohive,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=posixAccount)"

groupname_attribute = cn
groupmembership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"

ldap_debug = 0x0028

}

####################
/etc/raddb/users
####################

DEFAULT Ldap-Group == "testgroup"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "20",
Fall-Through = no

DEFAULT Ldap-Group == "testgroup2"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 10,
Fall-Through = no

####################
/etc/raddb/eap.conf
####################

Peap {

use_tunneled_reply = yes

}
#######################
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
and in /etc/raddb/users you can do User Profile Mapping as well

DEFAULT Ldap-Group == "testgroup"
Tunnel-Type = GRE,
Tunnel-Medium-Type = IP,
Tunnel-Private-Group-Id = "20",
Fall-Through = no