In strongswan for ikev1 it uses xauth-eap that I use to do validation with RADIUS (that's the only way for ikev1 clients with strongswan).
My design is that I don't actually care about secondary authentication with RADIUS since it's already doing certificate validation from strongswan side before doing secondary authentication. All is good if I was only need secondary authentication since I can bypass with verify_eap from strongswan side but I want to make use of the Expiration module on freeradius side (works great). I have few questions so it can help me determine next course of action: 1) is there a way to configure freeradius for Accounting only and also does the user expiration check? 2) is it possible for me in any way to reject expired user but accept eap based authentication (from configuration or code modification)? 3) when connection is rejected does the strongswan side (xauth-eap plugin in particular) receive information that can differentiate this logic (send attribute that it can handle maybe? I have no idea how that work)? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html