Expiration and EAP verification question
WorkingMan
signup_mail2002 at yahoo.com
Sun Sep 22 16:07:56 CEST 2013
In strongswan for ikev1 it uses xauth-eap that I use to do validation with
RADIUS (that's the only way for ikev1 clients with strongswan).
My design is that I don't actually care about secondary authentication with
RADIUS since it's already doing certificate validation from strongswan side
before doing secondary authentication. All is good if I was only need
secondary authentication since I can bypass with verify_eap from strongswan
side but I want to make use of the Expiration module on freeradius side (works
great).
I have few questions so it can help me determine next course of action:
1) is there a way to configure freeradius for Accounting only and also does
the user expiration check?
2) is it possible for me in any way to reject expired user but accept eap
based authentication (from configuration or code modification)?
3) when connection is rejected does the strongswan side (xauth-eap plugin in
particular) receive information that can differentiate this logic (send
attribute that it can handle maybe? I have no idea how that work)?
Thanks
More information about the Freeradius-Users
mailing list