Expiration and EAP verification question

WorkingMan signup_mail2002 at yahoo.com
Sun Sep 22 16:07:56 CEST 2013


In strongswan for ikev1 it uses xauth-eap that I use to do validation with 
RADIUS (that's the only way for ikev1 clients with strongswan).

My design is that I don't actually care about secondary authentication with 
RADIUS since it's already doing certificate validation from strongswan side 
before doing secondary authentication. All is good if I was only need 
secondary authentication since I can bypass with verify_eap from strongswan 
side but I want to make use of the Expiration module on freeradius side (works 
great).

I have few questions so it can help me determine next course of action:

1) is there a way to configure freeradius for Accounting only and also does 
the user expiration check?

2) is it possible for me in any way to  reject expired user but accept eap 
based authentication (from configuration or code modification)? 

3) when connection is rejected does the strongswan side (xauth-eap plugin in 
particular) receive information that can differentiate this logic (send 
attribute that it can handle maybe? I have no idea how that work)?

Thanks



More information about the Freeradius-Users mailing list