Expiration and EAP verification question
signup_mail2002 at yahoo.com
Sun Sep 22 19:35:09 CEST 2013
Alan DeKok <aland <at> deployingradius.com> writes:
> WorkingMan wrote:
> > My design is that I don't actually care about secondary authentication
> > RADIUS since it's already doing certificate validation from strongswan
> > before doing secondary authentication. All is good if I was only need
> > secondary authentication since I can bypass with verify_eap from
> > side but I want to make use of the Expiration module on freeradius side
> > great).
> Bypassing authentication is generally a bad idea.
> > I have few questions so it can help me determine next course of action:
> > 1) is there a way to configure freeradius for Accounting only and also
> > the user expiration check?
> No. User expiration checks are done on authentication.
> > 2) is it possible for me in any way to reject expired user but accept
> > based authentication (from configuration or code modification)?
> > 3) when connection is rejected does the strongswan side (xauth-eap
> > particular) receive information that can differentiate this logic (send
> > attribute that it can handle maybe? I have no idea how that work)?
> A reject is a reject. The client usually doesn't get told *why* it
> was rejected.
> Rather than asking vague questions, it would help to read the config
> files. They're documented in exhaustive detail.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
Can you give me an example on how to always accept connection on EAP-*
authentication (it will be password based from xauth-eap from strongswan)
but at the same time still honour Expiration logic? I am not sure what to
do it (or what to look for). I have been trying different settings for a
week now without success.
As you know default IPSec VPN clients for iOS and Android are ikev1 based
and that doesn't support EAP-TLS which is ideal for me (mutual certificate
authentication). For ikev1 I can still do mutual certificate authentication
but I want freeradius to do accounting stuff and sort of centralize login
(otherwise there is no need of RADIUS). the only option with strongswan is
via xauth-eap (internally via eap-radius; using eap-md5, eap-mschapv2, etc
password based authentication). There is no way according to strongswan's
team to do accounting only with ikev1 that's why I need to use xauth-eap so
I can talk to freeradius. There is no need to do password authentication
when certificate is already validated by the server and you can filter
clients via certificate details (so it is safe; unless someone can sign fake
If I didn't care about user expiration (and simultaneous access control) I
wouldn't need to ask for help (simply modify xauth-eap to always pass
authentication and doesn't bother talking to RADIUS during authentication).
I really want to use as much freeradius' feature as possible so I don't have
to do things on the side (ex: do expiration check on VPN side). Any help
would be much appreciated.
More information about the Freeradius-Users