[strongSwan] ikev1 + freeradius (accounting only)

Martin Willi martin at strongswan.org
Thu Sep 19 16:06:19 CEST 2013


> 1) certification only authentication without secondary authentication  (ex: 
> xauth) for ikev1
> 2) need radius accounting (ie: freeradius)
> If xauth-eap is used accounting will happen but that means I am forced to use 
> xauth (remember authentication and accounting are decoupled in freeradius).

Why bother with xauth-eap if you don't need XAuth?

Accounting works independent of Authentication. You can use any
non-RADIUS authentication method, but configure the eap-radius plugin to
do Accounting only.

> I wonder why bother with EAP-TLS/radius for VPN if strongswan can already do 
> mutual authentication (based on charon.log) with certificate?

It makes sense in a few situations:

      * Windows 7 can use EAP-TLS in IKEv2 for Smartcard user
        authentication (IKEv2 certificate authentication can use machine
        certificates only). 
      * You can delegate certificate validation/authentication to an AAA
        backend using RADIUS. This backend could enforce additional
        policies that the IPsec gateway not might have access to, and
        then forward policy decisions to the strongSwan.
      * Because we can!


More information about the Users mailing list