[strongSwan] ikev1 + freeradius (accounting only)

WorkingMan signup_mail2002 at yahoo.com
Thu Sep 19 15:23:42 CEST 2013

I would like to know if it's possible to have a setup that does the following 
with ikev1 and freeradius:

1) certification only authentication without secondary authentication  (ex: 
xauth) for ikev1
2) need radius accounting (ie: freeradius)

If xauth-eap is used accounting will happen but that means I am forced to use 
xauth (remember authentication and accounting are decoupled in freeradius). So 
I made a simple mod to always accept the authentication in xauth-eap to 
accepts any user/pass since ios won't allow empty login info in the UI. All 
this seems to work correctly but I rather prefer not modify any code if 

Can someone tell me if there is a built-in way of doing this? Someone was 
alluding to this idea in my other post but didn't provide an example so I want 
to be 100% sure this is not possible before I do any mod (it would be called 
xauth-eap-noauth in the same spirit as xauth-noauth; all you have to do is 
always return true in xauth_eap.c: verify_eap() or strongswan team can do it, 
it's so simple there should be no danger of doing it).

I wonder why bother with EAP-TLS/radius for VPN if strongswan can already do 
mutual authentication (based on charon.log) with certificate? With ikev2 and 
EAP-TLS client side certificate authentication seems to be happening on RADIUS 
side. I guess EAP-TLS is less useful for VPN than it's for other type of 


More information about the Users mailing list