RADIUS, short for Remote Authentication Dial-In User Service, is an authentication and accounting system used to share the usernames and passwords in a directory service to network devices. In this example, we will use RADIUS to provide usernames and passwords to an AirPort base station. The reason this example is so important is that it represents one case where Apple takes one of the more complicated technologies in the IT industry and makes it readily available to even non-network administrators. RADIUS also represents the highest level of security you can obtain when using Apple AirPort base stations.
You will need to be running a system that is either an Open Directory Master or Replica, or a system that is connected to a directory service in order to use RADIUS. For more on directory services, see Chapter 2. For this example, the AirPort will also need to have addresses configured and sit on the same network (preferably being accessible via Bonjour) that allow the server to connect to the base station.
To get started, open Server Admin and click on the name of the server in the SERVERS sidebar. Click on Settings and then click on the Services tab. Check the box for RADIUS and then click the Save button to see the RADIUS entry appear below the server name in the Server Admin sidebar.
Click on RADIUS and then click on the Overview icon in the Server Admin toolbar. Here, click on the button to Configure RADIUS Service…. At the Server Certificate screen, choose the certificate that was previously configured (in Chapter 2) from the list of certificates available in the Certificate drop-down menu (Figure 9-12). Click on Continue.
You will then see a list of available AirPort base stations. Click on the base station to configure to be managed by the server (in this example, we will be using krypted_RADIUS) and provide a password for the base station, as seen in Figure 9-13.
Click on the Add button to place the AirPort in the righthand column, which shows the AirPorts that will be a part of the WPA2 Enterprise configuration created by the assistant. Once all of the AirPorts you want to configure have been added, click on the Continue button. At the Allowed Users screen, choose who can access the new wireless network. If you will not be granting wireless access to all of the users, it is usually best to have a dedicated RADIUS group for this purpose. For the purposes of this example, we will allow all of our users to access the wireless network, leaving the radio button set to “Allow all users,” as in Figure 9-14. Click on Continue once you have configured the service as you see fit.
At the Confirm RADIUS Settings screen, click on the Continue button and the settings will be written. The AirPort will then restart with the new settings applied for authenticating users.
Once the AirPort has restarted, it will be shown by clicking on the list of available networks on a Mac OS X client computer. Click on it to bring up the username and password dialog box. Here, provide a username and password from the RADIUS server and click on the Join button.
If the server is using a certificate (by default, the assistant uses a certificate), and that certificate is self-signed (or otherwise untrusted by the client computer) then click on Show Certificate and make sure the “Always trust” checkbox has been checked (Figure 9-15). Provided the certificate is now trusted, click on the Continue button and authenticate to the local computer to accept the certificate.
The wireless network will then connect, provided you used a valid username and password combination from Open Directory. Once connected, the system will be joined to the wireless network and able to access services as with any other type of authentication mechanism used on an AirPort base station. The big difference is in the level of security that the wireless clients have to the server.