Expiration and EAP verification question

Alan DeKok aland at deployingradius.com
Sun Sep 22 16:48:57 CEST 2013


WorkingMan wrote:
> My design is that I don't actually care about secondary authentication with 
> RADIUS since it's already doing certificate validation from strongswan side 
> before doing secondary authentication. All is good if I was only need 
> secondary authentication since I can bypass with verify_eap from strongswan 
> side but I want to make use of the Expiration module on freeradius side (works 
> great).

  Bypassing authentication is generally a bad idea.

> I have few questions so it can help me determine next course of action:
> 
> 1) is there a way to configure freeradius for Accounting only and also does 
> the user expiration check?

  No.  User expiration checks are done on authentication.

> 2) is it possible for me in any way to  reject expired user but accept eap 
> based authentication (from configuration or code modification)? 

  Yes.

> 3) when connection is rejected does the strongswan side (xauth-eap plugin in 
> particular) receive information that can differentiate this logic (send 
> attribute that it can handle maybe? I have no idea how that work)?

  A reject is a reject.  The client usually doesn't get told *why* it
was rejected.

  Rather than asking vague questions, it would help to read the config
files.  They're documented in exhaustive detail.

  Alan DeKok.


More information about the Freeradius-Users mailing list