Author Topic: RADIUS Chapter  (Read 2560 times)

mwillis87

  • Newbie
  • *
  • Posts: 3
    • View Profile
RADIUS Chapter
« on: January 03, 2015, 08:27:58 AM »
Hi Reid,

Firstly, thanks for all the hard work - it was a most enjoyable and informative read.

I have some questions concerning the RADIUS chapter (actually, it was the reason I purchased this book).

I'm trying to use RADIUS to authenticate users over a wireless network (nothing new there). However, I'm not using or attempting to use airport hardware. This is a deployment with enterprise AP's. In the book, all the scenarios use a airport in some way shape or form.

Are you suggesting that the best way to set up this deployment is to start with a airport to configure it all and then move on? Can you suggest a way to configure this entirely without introducing a airport to the network?

I've spent hours today trying to configure this service with no luck (prior to getting your book), there appears to be very little user documentation out there for Yosemite. This is my first time using FreeRadius in a OS X deployment.

Any Advice?
Thanks again! Great read!

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: RADIUS Chapter
« Reply #1 on: January 04, 2015, 11:52:06 AM »
Happy New Year!

Sorry for the delay in replying.  I took a few days off to recharge the batteries and allow the old year to fade and the new to start.

May I ask which APs you are using?

And no, Airports are not a requirement.  I used Airports in the book as this is a common field find for us.  Small businesses who go the Apple route tend to go all in with Apple products.  However, if you are using SonicPoints, Aerohive, or others, you should be able to integrate the radius authentication.  As shown in the book, I commonly configure SonicWall firewalls into the RADIUS allowing for VPN authentication to OD instead of replicating the accounts.

Share with me the products that you are using.  If I come up with the solution and you are up for it, I will add it to the book so that it may help others.


mwillis87

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: RADIUS Chapter
« Reply #2 on: January 05, 2015, 05:08:28 AM »
Happy New Year!

Thanks for your response!

Meraki AP's and Firewalls will be deployed (so in actuality it will be RADIUS authentication for both wireless and VPN).

Any ideas you can provide would be great. Thanks!

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: RADIUS Chapter
« Reply #3 on: January 05, 2015, 11:26:08 AM »
On the surface, it sounds like this should work.  My guess is this can go one of two ways.  Either you add each AP or you add the controller.  I am going to bet on the controller option since it sounds like Meraki is aggregating the requests through the controller.

Now the one piece I am not sure about is the Meraki interface for were you set the RADIUS values.  I would start here:  https://kb.meraki.com/knowledge_base/radius-configure-an-externally-hosted-radius-server-for-wpa2-enterprise

If the Meraki is sending the RADIUS auth to the controller, then to the RADIUS server, then I am going to guess that you need to do the following:

1:  Determine the IP of the Meraki controller.  Let's assume it is 10.0.2.1.
2:  Determine the IP of the OS X Server.  Let's assume it is 10.0.2.2.
3:  On the OS X Server, run the -addclient to add the controller as the client.

sudo radiusconfig -addclient 10.0.2.1 NameOfController

You will be prompted for a shared secret.  That must be used in the Meraki Dashboard

4:  Install the certs as per the books instructions, associating an SSL cert with the Radius service.
5:  complete the remaining steps to get OD auth working

6:  In the Meraki Dashboard, add the server as a RADIUS server and enter the shared secret.

7:  Start RADIUS
8:  Use the dashboard to test the authentication.

Let me know if this works.

mwillis87

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: RADIUS Chapter
« Reply #4 on: January 09, 2015, 09:56:51 AM »
Hi Reid,

It works as expected following your solution. I have not yet added the radius group, it is authenticating all OD accounts(I will do further testing also with the radius group tomorrow).

The only change I made was specifying a TYPE parameter when adding clients

-addclient [ip] [name] other

as previously, in the naslist, it would show the type as "Airport Base Station".

I am running the radiusd and have been monitoring authentication from both Wireless Devices and the internal test function inside the Meraki dashboard and it's all working in a Lab Environment.

I will do some more testing later. For further testing/troubleshooting, would you recommend turning on any further options for the log file? If I try to view the log file (/var/log/radius/radius.log) it does not have the correct permissions. Is this correct?

Regarding the Meraki solution. The controller is a cloud hosted platform, so authentication is performed locally by each AP, you are adding the local IP of the AP not the controller.

Thanks!

Reid Bundonis

  • Administrator
  • Full Member
  • *****
  • Posts: 107
    • View Profile
Re: RADIUS Chapter
« Reply #5 on: January 09, 2015, 01:41:20 PM »
Awesome!  I am glad this is working out. 

Regarding the logging, some of the logs on OS X have restrictive permissions.   You might try:

sudo -s

That will promote the admin to "root".  Then tail the log like:

tail -f /var/log/radius/radius.log

I am on the road but I believe the radius.log is one of those logs that is set to 600 (rw by owner, and --- for everyone else.