This is a follow up to my previous post on Cisco AAA VPN and RADIUS on Mac OS X Server 10.8 – Mountain Lion

To get the APC talking with our OS X box we need to first allow the APC to communicate with RADIUS over IP. On your Mac OS X server with RADIUS run the following command.

radiusconfig -addclient <APC-IP> <short-name> other

You’ll be asked to input a key, you’ll need this later on. You can man this command to get more details

Then add the following APC attributes and values to the RADIUS dictionary /etc/raddb/dictionary



VENDOR APC 318

BEGIN-VENDOR APC

ATTRIBUTE APC-Service-Type 1 integer

ATTRIBUTE APC-Outlets 2 string

ATTRIBUTE APC-Perms 3 string

ATTRIBUTE APC-Username 4 string

ATTRIBUTE APC-Contact 5 string

ATTRIBUTE APC-ACCPX-Doors 6 string

ATTRIBUTE APC-ACCPX-Status 7 string

ATTRIBUTE APC-ACCPX-Access1 8 string

ATTRIBUTE APC-ACCPX-Access2 9 string

ATTRIBUTE APC-ACCPX-Access3 10 string

ATTRIBUTE APC-ACCPX-Access4 11 string

ATTRIBUTE APC-ACCPX-Access5 12 string

ATTRIBUTE APC-ACCPX-Access6 13 string

ATTRIBUTE APC-ACCPX-Access7 14 string

VALUE APC-Service-Type Admin 1

VALUE APC-Service-Type Device 2

VALUE APC-Service-Type ReadOnly 3

VALUE APC-Service-Type Outlet 4

VALUE APC-Service-Type Card 5

END-VENDOR APC



By default, RADIUS will authenticate APC users as ReadOnly, however I want a particular user to have administrative access. To do this we’ll need to configure RADIUS to send the admin access value back to the APC for the user we specify. We do the following if our RADIUS server is running on an OD master or replica.

/etc/raddb/users

<username> Auth-Type = opendirectory

APC-Service-Type = Admin



Please note that you’ll need a tab indentation before APC-Service-Type

If the RADIUS server is running on an OD client then:

/etc/raddb/users

<username> Auth-Type = System

APC-Service-Type = Admin



And now edit /etc/raddb/sites-enabled/default and around line 309, in the Authenticate stanza change the line marked unix to:



#unix

Auth-Type unix {

opendirectory

}



Now restart the RADIUS daemon and login to your APC, under Security, Remote-Users, RADIUS you’ll find the place to enter your OS X Server IP, the key we made earlier, and to test the authentication. Make sure this passes before proceeding and that your user you configured earlier authenticates as Administrator.

If you got to this point and the APC is saying it cannot contact RADIUS make sure the RADIUS daemon isn’t crashing on your server. Check out tail -f /var/log/radius/radius.log to see what’s going on.

The final step is click on Authenticate in the APC UI and set it to RADIUS, then Local Authentication