How to setup MacOSX 10.6 for freeRADIUS TLS or WPA2 Enterprise access

Apple’s documentation for TLS access is rather thin on how to use generate certificates etc. for freeRADIUS. Here are some quick instructions.
First, the guest machine must generate a certificate request.

1. Go to Applications -> Utilities -> Keychain Access
2. Under Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority…
3. Fill in the info, give them your CA Email Address (the one that is in your ca.cnf file)
4. Either Save or Email (however if a guest is visiting your house and doesn’t have wifi nor cell access, it could be a problem!).
5. Once you have transfered the request to your server issue the command (substitute guestname with what ever you like, in my guest.cnf, I have set the lifetime of the certificate to 1 day:
   openssl ca -config guest.cnf -policy policy_anything -out guests/guestname.crt -extensions xpclient_ext -extfile xpextensions -infiles guestname.crt
6. Return the ca.crt (if your guest is a frequent visitor or a close friend) and guestname.crt

Setup 802.1X or WPA2 Enterprise access on the guest’s machine:

1. Open Keychain Assistant (if you have closed it)
2. Click the user’s keychain, if the padlock is closed, click on it.
3. Drag the certificates generated above into the keychain
4. Optionally: Click on the Trust tab and select Always Trust (Assuming you do no evil!)
5. Quit Keychain Assistant
6. Open Preferences -> Network
7. Select Airport -> Advanced..
8. Select 802.1X tab
9. Create a new User Profile via the + icon on the lower left hand corner of the window.
10. Give the profile any name you like
11. Check the TLS box under Authentication
12. Click on Configure Trust
13. Select the Certificates tab
14. On the lower left hand corner, click on the + and select Select Certificate From Keychain
15. Click OK and the window will close
16. Select the SSID from the Wireless Network: drop down list
17. Select WPA2 Enterprise from the Security Type: drop down list
18. Click OK and you will be back in the Network window
19. The profile name should appear now next to 802.1X
20. Click on Turn Airport On
21. The 802.1X should automatically connect, if not click on the Connect button
22. To disconnect, click on Disconnect or Turn Airport Off.

Additional Reading:
Apple’s Resources with pretty pictures.

launchctl Tutorial

launchctl allows users to start / stop applications that is typically processed via launchd. (MacOS’s equivalent of cron).

launchctl command configurations are stored as XML formatted .plist files located in directories /System/Library/LaunchAgents or /System/Library/LaunchDaemons for system wide start items, for user specific items the plist files are stored in ~/Library/LaunchAgents or ~/Library/LaunchDaemons directories.

Agents or Daemons?
An agent is a program that requires access to specific users’ information. A daemon is a program that runs in the background and requires generally no input from any user.

For more a comparison between Agents and Daemons refer to this Apple technote.

What is in a .plist?
A .plist file must contain at the very least the keys Label, ProgramArguments array and a key to tell launchd how the application is run eg KeepAlive, RunAtLoad for one time operations. or StartonMount, StartInterval, StartCalendarInterval for repeating occurrences.

A complete dictionary of all the property keys can be found here. A few things it can do is to monitor modified paths (via the key WatchPath), HardResourceLimits etc.

Here is an example for com.companyname.agentorapplicationname.plist, which runs the application full/path/to/binary every 60 seconds:

launctl operations