Is it possible to force use of the authgroup?
Kevin Cernekee
cernekee at gmail.com
Fri Apr 11 08:10:11 PDT 2014
On Fri, Apr 11, 2014 at 3:16 AM, Andrew Stubbs <andrew.stubbs at gmail.com> wrote:
> Something changed on the server end last night, and this morning I cannot
> authenticate because it does not prompt which authgroup I want to use. When
> I try to login anyway I get a message that I don't have permission to do
> that and I should use the authgroup.
>
> Basically it wants me to log in using an option that it hasn't presented to
> me.
>
> I've tried with and without the --authgroup setting, but neither works. I
> presume this is because no authgroups are prompted for. Is it possible to
> insist on logging in that way?
Your authgroup can be set a couple of ways:
- Through the dropdown (which doesn't seem to be enabled here)
- From a group-url, e.g. https://vpn.foobar.com/mygroup
- From your client cert
For the latter item, we did see some cases where the client cert would
not be requested. You can try --no-http-keepalive as a quick
workaround.
If that doesn't help, try building the latest head of tree from
git.infradead.org. If at all possible, leave XML POST enabled and use
a CSD wrapper script.
> The Windows Anyconnect client works fine, so I presume something is
> possible.
Does the official Linux Anyconnect client work? Which version?
Do you see an authgroup dropdown in that client? If so, does it
disappear when you don't present the client cert?
More information about the openconnect-devel
mailing list