Disable DHCP on AirPort Extreme and Enable DHCP on OS X server

So the short answer is you can't. The long answer is you can but it is a complete hack of a solution and should be approached with caution and concern. Let me explain.

The Airport has two basic modes: Router and Bridge. In router mode, DHCP is enabled and there is nothing you can do to turn it off. In bridge mode, DHCP can not be enabled. There is no middle ground and there is no way to override the feature set. Ah, but there is a way to gimp it. I will admit that I've done this under duress. This is not right in so many ways but when in a bind, us Mac admins will push back. Here is what you can do.

1: On the Airport define a DHCP range of 2 addresses (this is the minimum range allowed). Let's say you are on the 10.0.1.0/24 network range. You want your DHCP range to be 10.0.1.101 through 10.0.1.150. Ah, but you want DHCP on OS X Server. So set the range of the Airport to 10.0.1.151 through 10.0.1.152. 2: Create two fake reservations on the Airport, using bogus MAC addresses and assign 151 and 152 to these fake MAC addresses. For example, use something like 00:00:00:00:00:01 for address 151 and 00:00:00:00:00:02 for address 152.

3: Go on to OS X Server and configure your normal DHCP range from 101 through 150.

4: Turn on the DHCP service on OS X Server.

5: Fire up some clients and watch both the server and the client for logging information.

Now, it remains possible that the client may get a response back from the Airport before it gets one back from the Server. For this I have no control. However, the Airport can not provide any addresses because the only two it can give out are reserved for nonexistent devices.

Once again, this is a hack. Pure and simple. But if you are lacking a real firewall, this is the best I can offer.

Reid

Apple Consultants Network

Author - "El Capitan Server – Foundation Services"

Author - "El Capitan Server – Control & Collaboration"

Author - "El Capitan Server – Advanced Services"

:: Exclusively available in Apple's iBooks Store

Absolutely! And yes, that is a major limitation of the Airport Extremes. You can not create more than a /24. However, if you are building a network that size, I think you have well outgrown your Airport Extreme.

At this point, with all the mobile devices, I start all new networks and have been converting all existing ones to /23 with the option to go to /22. After all, it only takes about 60 people with 4 addresses a piece to consume a /24. Build em big. Just do the math up front to make sure your base address can accept the increase without creating islands within the block.

Reid

vane0326 wrote:

Thanks! If I'm going with that type of network I'm mostly likely to go with commercial grade wireless routers, like Aruba Instant or Cisco Meraki. Hopefully these devices are able to authenticate to the OS X server Radius, because I use WPA2-Enterprises.

Yes and no.

Apple's own Server.app software will only configure RADIUS for use with Apple's own AirPort Extreme base-stations it will not even show up for anything else. However the RADIUS software Apple use is actually the standard open-source FreeRADIUS software as used by many other solutions especially Linux.

You can therefore manually configure it via the command line the FreeRADIUS software and use it with non-Apple products.

I was referring to setting up FreeRADIUS on a Mac server. If you want to use that Mac as a RADIUS server for devices other than Apple's own AirPort Extreme you need to configure FreeRADIUS in Terminal.app on the Mac. These may help -

http://krypted.com/mac-security/configure-radius-in-mavericks-server/

https://www.yesdevnull.net/2013/10/os-x-mavericks-server-setting-up-freeradius/

While they are for Mavericks and Server.app the process should be virtually unaltered for El Capitan and Server.app

You would also do the normal configuration of the Aruba or Meraki devices in their own interface to access the FreeRADIUS server running on the Mac. In the case of Meraki this would I believe be via a web-browser.