<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">You say on [1] that "The native iOS and OS X clients are known to work fine with multiple authentication rounds.", yet I have the server configured with multiple rounds using xauth but OSX is only requesting EAP<div class=""><br class=""></div><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="background-color:#e7ffb3;" class="">connections {<br class=""></span><span style="background-color:#e7ffb3;" class="">  radius {<br class=""></span><span style="background-color:#e7ffb3;" class="">     version = 2<br class=""></span><span style="background-color:#e7ffb3;" class="">     send_cert = always<br class=""></span><span style="background-color:#e7ffb3;" class="">     encap = yes<br class=""></span><span style="background-color:#e7ffb3;" class="">     pools = pool1<br class=""></span><span style="background-color:#e7ffb3;" class="">     unique = replace<br class=""></span><span style="background-color:#e7ffb3;" class="">     proposals = aes256-sha256-prfsha256-ecp256-modp2048<br class=""></span><span style="background-color:#e7ffb3;" class="">     local {<br class=""></span><span style="background-color:#e7ffb3;" class="">        id = vpnserver<br class=""></span><span style="background-color:#e7ffb3;" class="">        certs = vpnserver.crt<br class=""></span><span style="background-color:#e7ffb3;" class="">     }<br class=""></span><span style="background-color:#e7ffb3;" class="">     remote {<br class=""></span><span style="background-color:#e7ffb3;" class="">        auth = xauth-radius:passandcode<br class=""></span><span style="background-color:#e7ffb3;" class="">     }</span><span style="background-color:#e7ffb3;" class=""><br class=""></span><span style="background-color:#e7ffb3;" class="">     children {<br class=""></span><span style="background-color:#e7ffb3;" class="">        net {<br class=""></span><span style="background-color:#e7ffb3;" class="">          local_ts = 172.31.0.0/16<br class=""></span><span style="background-color:#e7ffb3;" class="">        }<br class=""></span><span style="background-color:#e7ffb3;" class="">     }<br class=""></span><span style="background-color:#e7ffb3;" class="">  }<br class=""></span><span style="background-color:#e7ffb3;" class="">}<br class=""></span></pre><div class=""><pre style="background-color: rgb(255, 255, 255); font-family: Menlo; font-size: 9pt;" class=""><span style="background-color:#e7ffb3;" class="">eap-radius {<br class=""></span><span style="background-color:#e7ffb3;" class="">    load = yes<br class=""></span><span style="background-color:#e7ffb3;" class="">    accounting = yes<br class=""></span><span style="background-color:#e7ffb3;" class="">    nas_identifier = vpn-pod1<br class=""></span><span style="background-color:#e7ffb3;" class="">    servers {<br class=""></span><span style="background-color:#e7ffb3;" class="">        primary {<br class=""></span><span style="background-color:#e7ffb3;" class="">            address = 172.31.19.90  # TODO: change to DNS<br class=""></span><span style="background-color:#e7ffb3;" class="">            secret = KFdHr0sgw$kOfFgh  # /etc/freeradius/clients.conf<br class=""></span><span style="background-color:#e7ffb3;" class="">        }<br class=""></span><span style="background-color:#e7ffb3;" class="">    }<br class=""></span><span style="background-color:#e7ffb3;" class="">    xauth {<br class=""></span><span style="background-color:#e7ffb3;" class="">        passandcode {<br class=""></span><span style="background-color:#e7ffb3;" class="">            password = Please enter your Password:<br class=""></span><span style="background-color:#e7ffb3;" class="">            passcode = Please enter current authenticator token code:<br class=""></span><span style="background-color:#e7ffb3;" class="">        }<br class=""></span><span style="background-color:#e7ffb3;" class="">    }<br class=""></span><span style="background-color:#e7ffb3;" class="">}</span></pre><div class=""><br class=""></div></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">10[CFG] selected peer config 'radius'</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">10[IKE] peer requested EAP, config inacceptable</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">10[CFG] no alternative config found</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">10[IKE] peer supports MOBIKE</span></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: Menlo; background-color: rgb(255, 255, 255);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]</span></div></div><br class=""><br class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Arbitrary-RADIUS-attribute-forwarding" class="">https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Arbitrary-RADIUS-attribute-forwarding</a></div><div class=""><br class=""></div></div></body></html>