Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: MrOchie
MrOchie Author
User level: Level 1
0 points

RADIUS on 10.7.4 Server

Have had a great week setting up a Lion Server using the Lynda.com How to. Great tool! Especially the Cert buying/signing/installing module. Outstanding teacher.


There have been a few glitches, though, one resolved yesterday, the other today, but the other still plagues me.


First was NAT forwarding to default host on the AEB. In the tutorial it suggests that this is turned on and routed to the correct host with the Server app - maybe in the tutorial (which used the Airport Utility5X) - but this install ha(d) only AU 6, which apparently doesn't talk to server that well. And may be the root cause of all problems here, I may add.


Solved that one whilst clicking through the AEB config with the Airport Utility 5.6 for Lion. Strongly recommended. 6 is not yet ready for prime time. Now my test users can get to profile manager from elsewhere on the outside world. Cool.


Second was VPN on iOS. Turns out that I had only enabled L2TP when rolling out the profile to my test users. Test Mac had no problem with this and setup correctly; test iOS (pad and phone) installed correctly and authenticated the certs but would fail VPN.


Changed the Server to L2TP/PPTP - rolled out new profles to iOS - now iOS connects VPN as advertised.


Thirdly though is RADIUS on the AEB - tech docs (and the tutorial) all suggest that "throwing one switch" in Server App and a base station restart is all that is needed. Not quite - doing so does different things on Mac or iOS, but both are fails. I should add that network is fine and routes perfectly to clients using WPA2 Personal. This is only a problem with RADIUS and WPA2 Enterprise.


On both- connecting to network brings up proper credential dialog (name/pw).


On the Mac it authenticates in a snap, but fails to connect the device to the network (self assigned IP, no dns, no router).


On iOS it times out after 30 seconds.


Both get the following lines in logs-


Error: Ignoring request to authentication address * port 1812 from unknown client 75.140.XX.XX port 33978


(75.140.XX.XX is the AEB).


Hmm. Started looking in most obvious places (for me anyway)


I checked access for RADIUS using Server Admin app - it was set to Allow all users and groups. For giggles I set it to just the test user and stopped / started service, tried again, same result. Set it back to default (all).


A technote (sorry-not sure which- I've been through a herd) suggested that I should have iPV6 set to Tunnel, to allow Lion Server to correctly manage an AEB. It's on the default Local Link Only, so I changed that to Tunnel, restarted AEB, start/stop service, try again, no dice. For even more giggles set it to Host, then Router, same song and dance, same result.


I'm convinced that the problem lies somewhere in the AEB settings. But not having setup RADIUS before I'm not sure what good looks like. The NAT problem was a fast solve and face/palm, but this one has me wandering around in circles; it's not the one click solution I'm seeing in all the tech notes and tutorials.


Any help would be totaly appreciated.


HW: 2010 Quad Core Xeon, 32 gigs RAM, Server 10.7.4, AEB Fifth Gen. Services (at this point) - DNS, ODS, File Sharing (AFP, SAMBA and WebDAV), Profile Manager, VPN and hopefully RADIUS). DNS is fully qualified and certs are all a nice healthy green. 🙂


Thanks!


Tony

Mac Pro, Mac OS X (10.7.4), Server

Posted on Jun 1, 2012 2:22 PM

Reply
4 replies
User profile for user: Ben Feingold
Ben Feingold
User level: Level 1
40 points

Jul 27, 2012 11:43 AM in response to MrOchie

A few weeks ago I enabled RADIUS on my PowerPC tower running 10.5 (I know...I know...). While some users were instantly able to connect, others struggled with the exact same issue you are describing. I figured the issue was with my aging hardware so I upgraded all our Airport hubs from the Blob/UFO looking ones to the latest and greatest itty-bitty ones. I also upgraded our server to a MacMini running 10.7.


I've read all the guides for how to enable RADIUS, but I can't seem to configure the Airport Extreme Basestations (AEB) to properly work with RADIUS. Any help would be appreciated!


- Ben

Reply
User profile for user: Abhor
Abhor
User level: Level 1
0 points

Aug 14, 2012 5:05 AM in response to MrOchie

Hi Tony, Ben and others,


I'm not sure it was the same problem, but a little while ago I have problems too with RADIUS not working on Lion,

and by searching for solutions I found out that it's necessarily to edit /etc/raddb/clients.conf


My problem here it didn't work was with the shared secret.


So I edited /etc/raddb/clients.conf and put at the end of the file :


client 10.0.0.0/24 {

secret = shared-secret-type-what-you-want-here

shortname = private-network

}


BEFORE I started RADIUS and added AE's to it


I hope it solves your problem too …


GreetingZz John 🙂


PS For some strange reason I had to change the

'Wireless Security" from WPA2 Personal ---> WPA2 Enterprice on each AE manualy

But maybe that's just a little bug in when opening the AE in Airport Utility 6.1 cause is WAS

working before I looked into the AE's


PPS iPV6 not changed here


Message was edited by: Abhor

Reply
User profile for user: squidvswhale
squidvswhale
User level: Level 1
0 points

Aug 14, 2012 11:29 PM in response to Abhor

Abhor,

It's the first time I've ever had a technical problem and then found a support discussion thread about it that wasn't at least two years old. Greetings!

I am having this exact same problem. Previously, through OS X Server 10.5 and 10.6, I used the Elektron app for authenticating 802.1X clients against Open Directory. It offers some additional features that the built-in Radius service does not have, and it worked great-- until Lion came along. It doesn't seem to work in 10.7 and Periodik Labs, makers of Elektron, their website and support forums seem to have stalled. It's been tough getting support from them lately.


So I decided to try 10.7's built-in Radius with some Airport base stations.


I have this same problem described above.


Error: Ignoring request to authentication address * port 1812 from unknown client 10.XX.XX.XX port xxxxx


Here is my question-- when you edited /etc/raddb/clients.conf what is "shortname" is that an Open Directory or user account shortname, or the host name you used for the base station, or the SSID of your network?


Thank you!

Jim

Reply
User profile for user: Abhor
Abhor
User level: Level 1
0 points

Aug 15, 2012 1:04 AM in response to squidvswhale

Hi Jim,


About the shortname ... not important I'll guess, I think it's just a name for administration use if you have a large

network and or many systems, so you can find back easyer some made settings.

That name was used nowhere else in my system.


My most important point was that it only worked here after fill in the 'secret' in clients.conf

and point it to the right network-range. (just look at some samples in the file)


Another thing I found out just yesterday when I turned on the firewall.

The Radius did not work anymore, but I was sure that I opened the port 1812 ....

I got this line in the log :


server ipfw[10528]: 65534 Deny UDP 10.0.0.3:65520 10.0.0.2:1812 in via en0


Then I found out that in Server Admin -> Firewall -> Services port 1812 witch I switched on,

only was open for TCP, so I added UDP too.


Nothing to do with the problems here, but I just notice it for posible problems in the future ;-)


GreetingZz John 🙂

Reply

RADIUS on 10.7.4 Server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up