WorkingMan wrote: > My design is that I don't actually care about secondary authentication with > RADIUS since it's already doing certificate validation from strongswan side > before doing secondary authentication. All is good if I was only need > secondary authentication since I can bypass with verify_eap from strongswan > side but I want to make use of the Expiration module on freeradius side > (works > great).
Bypassing authentication is generally a bad idea. > I have few questions so it can help me determine next course of action: > > 1) is there a way to configure freeradius for Accounting only and also does > the user expiration check? No. User expiration checks are done on authentication. > 2) is it possible for me in any way to reject expired user but accept eap > based authentication (from configuration or code modification)? Yes. > 3) when connection is rejected does the strongswan side (xauth-eap plugin in > particular) receive information that can differentiate this logic (send > attribute that it can handle maybe? I have no idea how that work)? A reject is a reject. The client usually doesn't get told *why* it was rejected. Rather than asking vague questions, it would help to read the config files. They're documented in exhaustive detail. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html