[strongSwan] ikev1 + freeradius (accounting only)
martin at strongswan.org
Thu Sep 19 16:06:19 CEST 2013
> 1) certification only authentication without secondary authentication (ex:
> xauth) for ikev1
> 2) need radius accounting (ie: freeradius)
> If xauth-eap is used accounting will happen but that means I am forced to use
> xauth (remember authentication and accounting are decoupled in freeradius).
Why bother with xauth-eap if you don't need XAuth?
Accounting works independent of Authentication. You can use any
non-RADIUS authentication method, but configure the eap-radius plugin to
do Accounting only.
> I wonder why bother with EAP-TLS/radius for VPN if strongswan can already do
> mutual authentication (based on charon.log) with certificate?
It makes sense in a few situations:
* Windows 7 can use EAP-TLS in IKEv2 for Smartcard user
authentication (IKEv2 certificate authentication can use machine
* You can delegate certificate validation/authentication to an AAA
backend using RADIUS. This backend could enforce additional
policies that the IPsec gateway not might have access to, and
then forward policy decisions to the strongSwan.
* Because we can!
More information about the Users