OpenDirectory on Mac OS X 10.6 authenticating Cisco ASA

mail at wetzelandson.com mail at wetzelandson.com
Tue Jan 12 19:52:29 CET 2010


Thank you for any consideration of this issue in advance.

Essentially I, and several others on Apple's Server forum, are looking to
get a Cisco ASA
to authenticate VPN users against a Mac 10.6 Server (free)RADIUS.  Can
anyone offer
setup suggestion to a modestly skilled user on a standard Apple
installation?  We tested the following setup procedure on a test 10.6.x
server, the "radtest" did not work.

The set up we use currently was done as follows to give an idea of what we
have figured out in the past :

OSX Server 10.5.4
Cisco ASA 5510

In Server Admin > Radius:
I did not use the setup helper.
Select a certificate to use for radius manually.
Start Radius

Edit etc/raddb/users
change
DEFAULT Auth-Type = System
to
DEFAULT = opendirectory
Restart Radius
Test to see if it is working by issuing on the server
sudo radtest usernameinOD userpasswordinOD localhost 0 testing123
If this is working you will get back some type of "accepted" message

Edit etc/raddb/clients.conf
Add Cisco ASA as client, read the comments in the file they are very clear
and helpful.
Take one of the sample clients, copy the sample and add appropriate
settings for your ASA and uncomment the lines so that they are executed :
IP address
shared secret/key
short/common name.
File says that there are some optional items. I did not set any of them.

On the ASA
Go to the AAA settings. As appropriate, set up an authentication server
using radius, at your RADIUS server IP using the shared key as expected
and the shortname from the RADIUS setup as the common key in the ASA.
Our ASA gave the option to test, put in a user who is in the OD RADIUS
authorized group and as long as the test came back positive that server
could now be used to authenticate the numerous things it can be assigned
to.

Thanks again for your consideration.

-Erich Wetzel




More information about the Freeradius-Users mailing list