I did check again, if after any of the updates somehow magically it will start working, but no.
ROS 6.42.3, latest freeradius (3.0.17) and windows 10 (1803) client, everything looks the same.
IKEV2 with eap-only, using certificate signed by another self-signed (untrusted) CA.
CA is added to windows trusted store (local, computer, trusted CA).
When using "ikev2 rsa signature" everything works perfectly (windows client is using certificate then signed by the same CA).
When I switch to eap only I get errors:
in mikrotik it's "ipsec no proposal chosen"
in windows I see "rules mismatch"
Both errors seem pretty weird, since changing "rsa signature -> eap only" shouldn't be affecting at all "ipsec proposal", so maybe error is somewhere else, just doesn't show up in debug?
Authentication works perfectly (client passes credentials to mikrotik, mikrotik to radius, radius returns access-accept) and then it just fails with the errors as above.
Maybe there's something with certificate that needs to be changed, but then I'm not sure what.
I'd also love to see working "eap only" ikev2 configuration, just for /ipsec.