Tech Lab /
Get Started

Take advantage of our commitment to Fanatical Service, enhance your Peace of Mind and get Fully Managed®.

Cisco VPN User Authentication Using RADIUS in Mac OS X Server

Luis Giraldoby Luis Giraldo @ Fully Managed™
Posted 5 years ago

Since Mac OS X Snow Leopard (10.6), Apple has included a Cisco IPSec VPN client in the OS. In many environments where businesses deploy Open Directory (OD) as the main directory service for user authentication, it can be useful to also leverage it for VPN authentication, thereby reducing duplicate user account management.

Given an already-working Cisco VPN service (with AAA), the configuration to be added to the Cisco VPN router/concentrator is below.

Pre-requisites:

  • Good working knowledge of Cisco IOS
  • Mac OS X Server version 10.6 or 10.7 
  • Mac OS X (for client remote connections) version 10.6 or 10.7

Note: Variables are listed inside angled brackets, e.g. <variable>

aaa authentication login <client_authentication_list_name> group radius local
aaa authorization network <isakmp_auth_list_name> local

If you have used CCP and its built-in wizards to configure the EasyVPN server, the client authentication list name might look like this:

ciscocp_vpn_xauth_ml_3

And the isakmp authorization list name might look like this:

ciscocp_vpn_group_ml_3

The isakmp profile should already exist if you have EasyVPN server configured and working:

crypto isakmp profile <ike_profile_name>
  match identity group <VPNGROUP>
  client authentication list <x_auth_list_name>
  isakmp authorization list <auth_list_name>
  client configuration address respond
  virtual-template 1

Add the RADIUS server information, including ports and unique RADIUS key:

radius-server host <OD_IP_ADDRESS> auth-port 1812 acct-port 1813 key <your_special_radius_key>

On your Mac OS X server, add the RADIUS client config to the RADIUS client file:

/etc/raddb/clients.conf

In the format of:

client <IP_OF_VPN_ROUTER> {
secret = <your_special_radius_key>
shortname = <arbitrary name to identify RADIUS client>
}

Manually start the RADIUS service via CLI:

sudo serveradmin start radius

The response from the server should be:

radius:state = "RUNNING"
radius:status = 0

You can monitor/debug RADIUS requests with

radius -X

You will now be able to authenticate VPN users against your Open Directory server!


Alberta's Best Workplace 2013

BBB
Creating Peace of Mind for businesses and non-profits across North America since 2002.
© 2017 Fully Managed Inc. All rights reserved. Contact Us. Privacy.
Help