OS X Mavericks not connecting to Debian FreeRADIUS

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Wed Aug 12 11:13:54 CEST 2015


Edward,

FreeRADIUS has a steep learning curve that you have to appreciate. You won't be an expert in FR in a week... many people here have been using it for years.

> career systems administrator may already know which value to use but others would not, so why don’t they just give a specific example of using a wireless router in the lengthy docs of the config file and mention the name LAN IP or WAN IP?  Also it is annoying to me how often the wireless router is referred to as the  “client” in all sorts of instructions that I see, it is confusing terminology for the process even if it is technically correct.

It is not confusing. It is in fact very straight-forward. Anything connecting to the RADIUS server (i.e. the server running FreeRADIUS) is a client. If you have a WiFi Access Point that you're connecting to FR, that is your client. It must have an IP address defined in clients.conf, or else it can't talk to the server. The same goes for Network Access Servers, which connect to the FR server. They are the FR clients in the context of clients.conf.

> Anyway, with the ipaddr set to be the WAN IP of the router (and I also tried using the LAN IP, since the instructions don’t specify!) and the “Auth Server Address” set to be the IP of the server computer, the OS X client computer still gives me the “Invalid password” error.  (Previously I have already tried all combinations of the IP addresses even before posting to this forum, I just wanted to clarify once and for all when I asked..)

When your OS X client computer attempts to authenticate, do you see anything happening on the FreeRADIUS server (run it in debug mode)? If not, the client address you've given is likely to be incorrect. You *can* provide a CIDR notation for an entire subnet (i.e. 192.168.23.0/24) to allow the entire subnet to come through the same client definition. That is documented in clients.conf.

> I have seen varying instructions which explain differing optimum addresses to set the static address of the server computer to be.  I realize that it is important to set this to ensure that it doesn't change over time, but you did not really answer my question when I asked if it is crucial to set that for testing purposes when I know what the address of the server computer is in the meantime.

Yes it is crucial to know what your server IP address is. Without it you can't expect to get a connection if you define a single IP address as a client.

> Are you familiar with using XLM profiles for configuring networking on Mac Computers on newer OS X operating systems?  I have seen information about that associated with WPA2-Enterprise and some sources even seem to suggest that it is mandatory with the newer Operating systems.

Alan Buxey has been very clear about this. You need to create a file that you import on the client computer, i.e. the endpoint, the machine that is trying to connect to the network. Apple has made things more difficult in newer operating systems by removing certain configuration utilities and dialogs, so you are now required to 'provision' configuration files.

This URL explains what Alan has already told you: http://www.wi-fiplanet.com/tutorials/configuring-802.1x-in-mac-os-x-lion-and-later.html, but it is (obviously) somewhat out of date now. This URL explains how profiles work in Yosemite (and explains the Profile Manager in OS X Server): http://arstechnica.com/apple/2014/11/a-power-users-guide-to-os-x-server-yosemite-edition/4/

The profile manager and the Apple Configurator (which replaced the iPhone Configuration Utility, or IPCU as everyone refers to it) are what you use to create a .mobileconfig file. Apple Configurator help is here: http://help.apple.com/configurator/mac/1.7.2/#/cadbf9e6ff (don't say we're not being helpful ;-))

> As far as using the default method for creating the certificates in “raddb/certs,” almost all of the online sources I have seen have said not to use that method and give instructions for clearing that out and using custom openssl commands instead.

Look at the date of said online sources, and when they were last updated. If it's anything before last year, you can be guaranteed that they are out of date. FreeRADIUS makes *huge* strides in a year (and I know this because I first had exposure to FR 2.1.12 in 2013 and have found that the product has vastly improved since). Everyone I know uses the 'make' or 'bootstrap' commands in the /etc/raddb/certs directory... The makefile and the certificate configs (ca.cnf, server.cnf and client.cnf) have been regularly updated to the latest recommended configurations (amongst them using SHA1 as the hashing algorithm and 2048 bits as key length).

Alan, Arran, and all the contributors try to keep everything as best practice as they can, but it's up to your distribution to keep up with the developments. If they don't, you are still free to build the product from source with any of the distribution build scripts that are included in the source, and they are very straight-forward.

> Do you know of success creating certificates that work with OS X Mavericks using that default method?  And can that method be automated using scripting?

Yes. And yes. The default contents of /etc/raddb/certs contains everything you need to script it.

> Right now that directory has been wiped out on my computer according to online instructions I have followed, so I can’t read any instructions that may have been included with it.  Do you know if there has there been recent upgrades to the “raddb/certs” method in the newer versions of FreeRADIUS which would give it greater compatibility with newer versions of OS X?

You can download the contents of the /etc/raddb/certs directory from Github if you need to... Tweak the .CNF files to suit your organisation details, and if necessary adjust certificate expiry periods. Then run 'make clean' to clear out old certificates, then ./bootstrap or 'make' to make new ones.

:-)

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150812/2875efeb/attachment.sig>


More information about the Freeradius-Users mailing list