I have several connection setups for IKEv2 in ipsec.conf:

===============================
conn %default
[...SKIPPED...]
# right - remote (client) side
right=%any
rightsendcert=never
rightsourceip=192.168.27.0/24,2001:19f0:5001:229c:dead::/96
rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
keyexchange=ikev2
auto=add

conn ikev2-eap-tls
also="ikev2-pubkey"
rightauth=eap-tls
eap_identity=%identity

conn ikev2-mschap
also="ikev2-pubkey"
rightauth=eap-mschapv2
eap_identity=%identity

conn ikev1-xauth
keyexchange=ikev1
rightauth=xauth
auto=add
===============================

Such config is shown in many tutorials. Different auth schemes are
needed for different clients.

But with this config I have problem with Windows 10 clients: I wan to
use EAP-MSCHAPv2 for Windows clients (username/password auth, without
client certs), but StrongSwan offers FIRST (EAP-TLS) scheme to windows
client ad authentication fails, as windows report that it could not find
compatible auth scheme.

Is it possible to limit different schemes to different client types?