Identity in CA certificate to accept for authentication

Authentication to expect from remote

Section for a certificate candidate to use for authentication

IKE identity to expect for authentication round

List of certificates to accept for authentication

Optional numeric identifier by which authentication rounds are sorted

Section for a CA certificate to accept for authentication

Identity to use as peer identity during EAP authentication

List of CA certificates to accept for authentication

List of raw public keys to accept for authentication

Authorization group memberships to require

List of certificate policy OIDs the peer's certificate must have

Certificate revocation policy for CRL or OCSP revocation.

• A strict revocation policy fails if no revocation information is available, i.e. the certificate is not known to be unrevoked.
• ifuri fails only if a CRL/OCSP URI is available, but certificate revocation checking fails, i.e. there should be revocation information available, but it could not be obtained.
• The default revocation policy relaxed fails only if a certificate is revoked, i.e. it is explicitly known that it is bad