Get RADIUS authentication working with Open Directory and more on OS X Server
RADIUS allows for 802.1x, WPA Enterprise and other forms of authentication. Between RADIUS and LDAP you should be able to authenticate just about any network service that you need.Ed. Note: Please not that this article walks you through compiling FreeRADUIS from scratch. This will get you a newer version than some of the pkg installers for OS X that are out there, however, it will not allow you to use all authentication types with Open Directory users. To do this you’ll need to get the pkg installer from Andreas Wolf.
While I’ve used and like FreeRADIUS, especially Mr. Wolf’s package installer, I’ve also been meaning to try out Elektron which is a pretty Aqua-licious and reasonably priced RADIUS server.
Recently I had the need to accurately track office wide internet access. After some research it seemed that Radius had the accounting and device support required. While Radius seems to be an aging standard for the authentication and access control, it still has decent support, accounting abilities and some features not yet implemented in excellent Directory services that 10.3 Server supports.
Freeradius is extremely flexible, it will act as authentication interface for a number of sources including LDAP, MS-CHAP, PAM, Unix Passwords and its own internal files. It also has excellent logging and control abilities. Another good feature is that is can log to and get user information from a number of SQL variants including MySQL and Postgres.
Freeradius and OS X
Fortunately Andreas Wolf was kind enough to provide a packaged installer for the Freeradius project, an Open Source Radius server implementation. However it there are a number of things that you cannot do with the packaged installer. A combination of updates to Apple’s development tools and Freeradius seems to have rectified the compilation issues that forced Andreas to create a customised version.
FreeRadius will compile under 10.3, as long as you have the Developer Tools installed – and you make one (actually two) slight changes if you run into an error compiling it.
It seems users have reported running into issues with the MySQL RLM Module.
Compiling Freeradius
Grab the latest version of Freeradius – I used the cvs snapshot but the latest stable version 1.02 works fine.
Using Terminal untar the downloaded file:
<code>tar -xzf freeradius1.0.2.tar.gz cd freeradius1.0.2 </code>
FreeRadius is ready to configure immediately with no added tags.
<code> ./configure </code>
When the configuration has completed you will need to check and possibly modify one make file.
<code> cd src/modules/rlm_sql/drivers/rlm_mysql/rlm_sql_mysql/ </code>
Unfortunately in this driver module the ./configure can add an incorrect option in the compiling of the MySQL component. You will see linker passing the options -arch i386 -arch ppc if you try and make Freeradius. To fix this you need to edit the make file.
Using your favourite text editor, remove the -arch i386 and leave -arch ppc option from both lines in the:
<code>src/modules/rlm_sql/drivers/rlm_sql_mysql/Makefile</code>
Once this is done you can run make from the freeradius directory and you should have no issues.
When the make is complete run:
<code> make install </code>
This will install the FreeRadius tools and configuration files.
You can test the install by going to the default install location:
<code> cd /usr/local/sbin/radiusd -X </code>
Freeradius should run and present you with a debugging output, the final line should say it is ready to accept connections.
Using FreeRadius
You can use Freeradius as an authentication server with a number of devices. One excellent implementation is to combine m0n0wall, MySQL and FreeRadius to track usage of your internet connection. You can even get Freeradius to talk to the Apple LDAP server so user access can be done simply from your LDAP server.
Configuration of Freeradius is done through the radiusd.conf configuration file, the users file and the Clients.conf file. Each of the configuration files is relatively well documented so you should have no problems using them and setting up Freeradius for whatever implementation you require. You can find these files in
<code> /usr/etc/raddb/ </code>
LDAP Note: To prevent issues make sure you comment out the TLS enabling under the LDAP settings. It is not required unless you have the need to use SSL.
System: Freeradius was compiled on 10.3.8 Server and the latest version of XCode
This didn’t work for me. When I run the test, I get:
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
radiusd.conf[1382] Failed linking to rlm_exec structure in radiusd.conf: dlcompat: Symbol "_rlm_exec" not found
Any ideas?