Expiration and EAP verification question
Alan DeKok
aland at deployingradius.com
Sun Sep 22 16:48:57 CEST 2013
WorkingMan wrote:
> My design is that I don't actually care about secondary authentication with
> RADIUS since it's already doing certificate validation from strongswan side
> before doing secondary authentication. All is good if I was only need
> secondary authentication since I can bypass with verify_eap from strongswan
> side but I want to make use of the Expiration module on freeradius side (works
> great).
Bypassing authentication is generally a bad idea.
> I have few questions so it can help me determine next course of action:
>
> 1) is there a way to configure freeradius for Accounting only and also does
> the user expiration check?
No. User expiration checks are done on authentication.
> 2) is it possible for me in any way to reject expired user but accept eap
> based authentication (from configuration or code modification)?
Yes.
> 3) when connection is rejected does the strongswan side (xauth-eap plugin in
> particular) receive information that can differentiate this logic (send
> attribute that it can handle maybe? I have no idea how that work)?
A reject is a reject. The client usually doesn't get told *why* it
was rejected.
Rather than asking vague questions, it would help to read the config
files. They're documented in exhaustive detail.
Alan DeKok.
More information about the Freeradius-Users
mailing list