[strongSwan] ikev1 + freeradius (accounting only)
signup_mail2002 at yahoo.com
Thu Sep 19 16:53:19 CEST 2013
Martin Willi <martin at ...> writes:
> > 1) certification only authentication without secondary authentication
> > xauth) for ikev1
> > 2) need radius accounting (ie: freeradius)
> > If xauth-eap is used accounting will happen but that means I am forced
> > xauth (remember authentication and accounting are decoupled in
> Why bother with xauth-eap if you don't need XAuth?
> Accounting works independent of Authentication. You can use any
> non-RADIUS authentication method, but configure the eap-radius plugin to
> do Accounting only.
> > I wonder why bother with EAP-TLS/radius for VPN if strongswan can
> > mutual authentication (based on charon.log) with certificate?
> It makes sense in a few situations:
> * Windows 7 can use EAP-TLS in IKEv2 for Smartcard user
> authentication (IKEv2 certificate authentication can use machine
> certificates only).
> * You can delegate certificate validation/authentication to an AAA
> backend using RADIUS. This backend could enforce additional
> policies that the IPsec gateway not might have access to, and
> then forward policy decisions to the strongSwan.
> * Because we can!
If I use the following it doesn't work:
Does not work:
no peer config found - are you sure eap-radius works with ikev1?
In the event eap-radius works with ikev2 in the way you describe it, can you
tell me how to configure it to have accounting only (like we discussed
More information about the Users