How to setup MacOSX 10.6 for freeRADIUS TLS or WPA2 Enterprise access

Posted: January 6th, 2011 | Author: | Filed under: freeRADIUS, Mac | Tags: , , , , , , , , , , | No Comments »

Apple’s documentation for TLS access is rather thin on how to use generate certificates etc. for freeRADIUS. Here are some quick instructions.
First, the guest machine must generate a certificate request.

  1. Go to Applications -> Utilities -> Keychain Access
  2. Under Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority…
  3. Fill in the info, give them your CA Email Address (the one that is in your ca.cnf file)
  4. Either Save or Email (however if a guest is visiting your house and doesn’t have wifi nor cell access, it could be a problem!).
  5. Once you have transfered the request to your server issue the command (substitute guestname with what ever you like, in my guest.cnf, I have set the lifetime of the certificate to 1 day:
    openssl ca -config guest.cnf -policy policy_anything -out guests/guestname.crt -extensions xpclient_ext -extfile xpextensions -infiles guestname.crt
  6. Return the ca.crt (if your guest is a frequent visitor or a close friend) and guestname.crt

Setup 802.1X or WPA2 Enterprise access on the guest’s machine:

  1. Open Keychain Assistant (if you have closed it)
  2. Click the user’s keychain, if the padlock is closed, click on it.
  3. Drag the certificates generated above into the keychain
  4. Optionally: Click on the Trust tab and select Always Trust (Assuming you do no evil!)
  5. Quit Keychain Assistant
  6. Open Preferences -> Network
  7. Select Airport -> Advanced..
  8. Select 802.1X tab
  9. Create a new User Profile via the + icon on the lower left hand corner of the window.
  10. Give the profile any name you like
  11. Check the TLS box under Authentication
  12. Click on Configure Trust
  13. Select the Certificates tab
  14. On the lower left hand corner, click on the + and select Select Certificate From Keychain
  15. Click OK and the window will close
  16. Select the SSID from the Wireless Network: drop down list
  17. Select WPA2 Enterprise from the Security Type: drop down list
  18. Click OK and you will be back in the Network window
  19. The profile name should appear now next to 802.1X
  20. Click on Turn Airport On
  21. The 802.1X should automatically connect, if not click on the Connect button
  22. To disconnect, click on Disconnect or Turn Airport Off.

Additional Reading:
Apple’s Resources with pretty pictures.

Leave a Reply

You must be logged in to post a comment.