[strongSwan] radius and certificate CN user authentication

Martin Willi martin at strongswan.org
Wed Sep 10 11:31:07 CEST 2014

Hi Miroslav,

> I had the following working config which nevertheless prompts for
> username and password on the device (iPhone):

The whole point of XAuth authentication is to verify a username/password
combination. You may disable XAuth if you don't want that. Not sure if
that can be configured in the iPhone UI, though.

> What can I do to use the CN value from certificate for radius account
> instead being prompted for the username and pwd?

You are "being prompted" regardless of RADIUS accounting, that is
unrelated. It is XAuth that prompts for username/password.

If a peer authenticates more than once (such as with XAuth), the
identity used for RADIUS accounting is the last identity authenticated.
When using XAuth, it is the XAuth username. 

> 14[CFG] looking for XAuthInitRSA peer configs matching[00=AdaptiveMobile, CN=iphone-miro"]
> 14[IKE] no peer config found

A little more from your log, and the output of "ipsec statusall" would
certainly help in debugging this issue.

If your client is using Aggressive Mode, you'll have to set
aggressive=yes in ipsec.conf to match the connection.


More information about the Users mailing list