Expiration and EAP verification question

WorkingMan signup_mail2002 at yahoo.com
Sun Sep 22 19:35:09 CEST 2013

Alan DeKok <aland <at> deployingradius.com> writes:

> WorkingMan wrote:
> > My design is that I don't actually care about secondary authentication 
> > RADIUS since it's already doing certificate validation from strongswan 
> > before doing secondary authentication. All is good if I was only need 
> > secondary authentication since I can bypass with verify_eap from 
> > side but I want to make use of the Expiration module on freeradius side 
> > great).
>   Bypassing authentication is generally a bad idea.
> > I have few questions so it can help me determine next course of action:
> > 
> > 1) is there a way to configure freeradius for Accounting only and also 
> > the user expiration check?
>   No.  User expiration checks are done on authentication.
> > 2) is it possible for me in any way to  reject expired user but accept 
> > based authentication (from configuration or code modification)? 
>   Yes.
> > 3) when connection is rejected does the strongswan side (xauth-eap 
plugin in 
> > particular) receive information that can differentiate this logic (send 
> > attribute that it can handle maybe? I have no idea how that work)?
>   A reject is a reject.  The client usually doesn't get told *why* it
> was rejected.
>   Rather than asking vague questions, it would help to read the config
> files.  They're documented in exhaustive detail.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 

Can you give me an example on how to always accept connection on EAP-* 
authentication (it will be password based from xauth-eap from strongswan) 
but at the same time still honour Expiration logic? I am not sure  what to 
do it (or what to look for). I have been trying different settings for a 
week now without success. 


As you know default IPSec VPN clients for iOS and Android are ikev1 based 
and that doesn't support EAP-TLS which is ideal for me (mutual certificate 
authentication). For ikev1 I can still do mutual certificate authentication 
but I want freeradius to do accounting stuff and sort of centralize login 
(otherwise there is no need of RADIUS). the only option with strongswan is 
via xauth-eap (internally via eap-radius; using eap-md5, eap-mschapv2, etc 
password based authentication). There is no way according to strongswan's 
team to do accounting only with ikev1 that's why I need to use xauth-eap so 
I can talk to freeradius. There is no need to do password authentication 
when certificate is already validated by the server and you can filter 
clients via certificate details (so it is safe; unless someone can sign fake 
client certificate).

If I didn't care about user expiration (and simultaneous access control) I 
wouldn't need to ask for help (simply modify xauth-eap to always pass 
authentication and doesn't bother talking to RADIUS during authentication). 
I really want to use as much freeradius' feature as possible so I don't have 
to do things on the side (ex: do expiration check on VPN side). Any help 
would be much appreciated.


More information about the Freeradius-Users mailing list