You say on [1] that "The native iOS and OS X clients are known to work fine with multiple authentication rounds.", yet I have the server configured with multiple rounds using xauth but OSX is only requesting EAP
connections { radius { version = 2 send_cert = always encap = yes pools = pool1 unique = replace proposals = aes256-sha256-prfsha256-ecp256-modp2048 local { id = vpnserver certs = vpnserver.crt } remote { auth = xauth-radius:passandcode } children { net { local_ts = 172.31.0.0/16 } } } } eap-radius { load = yes accounting = yes nas_identifier = vpn-pod1 servers { primary { address = 172.31.19.90 # TODO: change to DNS secret = KFdHr0sgw$kOfFgh # /etc/freeradius/clients.conf } } xauth { passandcode { password = Please enter your Password: passcode = Please enter current authenticator token code: } } } 10[CFG] selected peer config 'radius' 10[IKE] peer requested EAP, config inacceptable 10[CFG] no alternative config found 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding 10[IKE] peer supports MOBIKE 10[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] [1] https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Arbitrary-RADIUS-attribute-forwarding <https://wiki.strongswan.org/projects/strongswan/wiki/EapRadius#Arbitrary-RADIUS-attribute-forwarding>