Setting up FreeRADIUS on Mac OS X 10.3 Server

FreeRADIUS Installation and Setup on Mac OS X

Mail me directly at justin DOT guidroz AT gmail DOT com if you have any issues with these instructions.

Update 12/07/04: rlm_sql module now compiled into FreeRADIUS package.
Update 6/14/05: Disk image binary built from 2/14/05 source.

This guide includes:
1 - FreeRADIUS CVS snapshot from 12/02/04 installer package.
2 - FreeRADIUS StartupItem installer package for Mac OS X.
3 - Instructions for setting up EAP-TTLS to an Open Directory Server.
Disclaimer: I'm assuming you have a working implementation of Open Directory Server

FreeRADIUSInstaller (Includes both FreeRADIUS installer and StartupItem)

Installer Package Information

The CVS snapshot was patched with freeradius-ssl-1.1.0-pre0.patch. I found the original patch at Andrea's Wolf website.
I updated the patch to work on the latest CVS snapshot. My needs for the patch were for running radiusd as a daemon,
which a typical build of FreeRADIUS will not do on Mac OS X, as detailed here and here.
The patch also includes other fixes that are detailed in the above links.

The package was built using

$ ./configure --prefix=/usr/local/freeradius

~~If I can get it built with the rlm_sql module~~, I ~~will~~ have updated the package.
The Mac OS X installer installs to

$ /usr/local/freeradius

The configuration files to edit are located at

$ /usr/local/freeradius/etc/raddb

radiusd is located at

$ /usr/local/freeradius/sbin

and radtest and radclient are located at

$ /usr/local/freeradius/bin

For testing purposes, execute radiusd with the command

$ sudo ./radiusd -X

FreeRADIUS StartupItem Installer

This package installs a StartupItem named FreeRadius at the location

$ /Library/StartupItems/FreeRadius

The StartupItem utilizes rc.radiusd to start the server. The standard configuration starts radiusd
without any arguments. If you need the server to start with some arguments, you can add add arguments to the
rc.radiusd file located at

$ /usr/local/freeradius/sbin/

After you run the installer, you must also add an entry to

$ /etc/hostconfig

Copy the following into a terminal

$ sudo echo RADIUSSERVER=-YES- >> /etc/hostconfig

entering your password when prompted. Now radiusd will start upon reboot.
If do not want FreeRADIUS to start upon boot, just edit /etc/hostconfig and change RADIUSSERVER=-YES- to
RADIUSSERVER=-NO- and save the file.

WPA Enterprise

My hardware configuration includes a server running Mac OS X Server 10.3.6 with Open Directory configured
and running, a Linksys WRT54G wireless access point, and a laptop running Mac OS X 10.3.6.

Andreas Wolf's website provides fantastic instructions about configuring and installing certificates
to utilize EAP-TLS and EAP-TTLS. For Open Directory, we will be configuring EAP-TTLS,
so make to also uncomment the TTLS section in eap.conf. The server certificates are needed for EAP-TLS and
EAP-TTLS. For EAP-TTLS, you do not need a client certificate, so do not create and install the client certificate
unless you want to use EAP-TLS.

For Open Directory, you need to setup the LDAP section in radiusd.conf. These are the only two settings I've
changed so far:

ldap {
	...
	server = "localhost"
	...
	basedn = "dc=xserver"
	...
}

In my Open Directory server, dc=xserver is my search base. Put whatever is in your search base
on your Open Directory server for the basedn in the LDAP module. If you are running FreeRADIUS
on a separate server from your Open Directory server, I would strongly suggest
configuring TLS between your FreeRADIUS server and your Open Directory server.
Now in the Authorize section of radiusd.conf, uncomment LDAP and make sure EAP is uncommented as well.

authorize {
 ...
 LDAP
 ...
 EAP
}

In the authentication section, uncomment LDAP and make sure EAP is uncommented also.

authentication {
 ...
 Auth-Type LDAP {
 	ldap
 }
 ...
 eap
}

Now in clients.conf, add an entry for your wireless access point

 ...
 client 192.168.0.1 {
 		secret = testing123
 		shortname = anything
 	}
 ...

In the users file, comment out the default user. This will keep you from authenticating properly.
Now start the server using

$ sudo ./radiusd -X

If all goes well, you will see the server waiting to process requests.

Linksys WRT54G Setup

To set up the Linksys WRT54G, enter the web configuration and set the wireless security to WPA Enterprise,
put in the IP Address of your radius server, and type in the secret that you entered into the clients.conf file.
Now your Linksys WRT54G access point is ready.

Mac OS X Client Setup
Andreas Wolf posts a good tutorial on how to set up Mac OS X client (this part starts at step 10).
At step 10, he talks about configuring EAP-TTLS. Only check off EAP-TTLS and configure it to use PAP as the inner authentication.
Save your configuration, enter in your username and password that are in Open Directory, and if all works, you should be connected
via TTLS and surfing the web.

Disclaimer: The above worked for me in my environment. This may not work in all environments, but it could be a good guide
in getting other setups working.