ocserv: user group not assigned when using certificate authentication
sskaje
sskaje at gmail.com
Fri Aug 29 00:08:37 PDT 2014
Forget to reply all.
在 2014年8月29日,15:05,sskaje <sskaje at gmail.com> 写道:
> Nicos,
> I pulled your latest commit and changed config:
>
> # grep group /opt/ocserv/etc/config |grep -v '^#'
> cert-group-oid = 2.5.4.11
> run-as-group = daemon
> config-per-group = /opt/ocserv/etc/config-per-group/
> default-group-config = /opt/ocserv/etc/defaults/group.conf
> select-group = vpn
> select-group = dnsonly
> default-select-group = DEFAULT
> auto-select-group = true
>
>
> auto-select-group was set both true and false for testing, same result.
>
> Then I removed all mobileconfig on iPhone and remove Cisco AnyConnect App, then installed both.
>
> The first time I tried to establish connection on cn=sskaje, a group selection was prompted again, and this time I picked group=vpn, connected.
> Disconnect and choose to connect with cn=dnsonly, failed.
> error:
>
>
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept: */*
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept-Encoding: identity
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Aggregate-Auth: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Connection: close
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Length: 353
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Type: application/x-www-form-urlencoded
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP POST /
> ocserv[5568]: worker: IPIPIPIP:18887 POST body: '<?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
> <version who="vpn">3.0.09440</version>
> <group-select>vpn</group-select>
> <group-access>https://sskaje.me:PORT/</group-access>
> </config-auth>
> '
> ocserv[5568]: TLS[<2>]: ASSERT: common.c:1792
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:310
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:420
> ocserv[5568]: TLS[<2>]: ASSERT: x509.c:507
> ocserv[5568]: worker: IPIPIPIP:18887 sending message 'sm: auth init' to secmod
> ocserv[5550]: sec-mod: received request from pid 5568 and uid 65534
> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
> ocserv[5568]: common.c:316: recvmsg returned zero
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:684: error receiving auth reply message
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:1236: failed authentication for ''
> ocserv[5568]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
> ocserv[5568]: TLS[<9>]: ENC[0x176b060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
>
> ....
>
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept: */*
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept-Encoding: identity
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Aggregate-Auth: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Connection: close
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Length: 353
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Type: application/x-www-form-urlencoded
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP POST /
> ocserv[5568]: worker: IPIPIPIP:18887 POST body: '<?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
> <version who="vpn">3.0.09440</version>
> <group-select>vpn</group-select>
> <group-access>https://sskaje.me:PORT/</group-access>
> </config-auth>
> '
> ocserv[5568]: TLS[<2>]: ASSERT: common.c:1792
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:310
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:420
> ocserv[5568]: TLS[<2>]: ASSERT: x509.c:507
> ocserv[5568]: worker: IPIPIPIP:18887 sending message 'sm: auth init' to secmod
> ocserv[5550]: sec-mod: received request from pid 5568 and uid 65534
> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
> ocserv[5568]: common.c:316: recvmsg returned zero
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:684: error receiving auth reply message
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:1236: failed authentication for ''
> ocserv[5568]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
> ocserv[5568]: TLS[<9>]: ENC[0x176b060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
>
> ....
>
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-Aggregate-Auth: 1
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Connection: close
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Content-Length: 353
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Content-Type: application/x-www-form-urlencoded
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP POST /
> ocserv[5569]: worker: IPIPIPIP:18930 POST body: '<?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
> <version who="vpn">3.0.09440</version>
> <group-select>vpn</group-select>
> <group-access>https://sskaje.me:PORT/</group-access>
> </config-auth>
> '
> ocserv[5569]: TLS[<2>]: ASSERT: common.c:1792
> ocserv[5569]: TLS[<2>]: ASSERT: dn.c:310
> ocserv[5569]: TLS[<2>]: ASSERT: dn.c:420
> ocserv[5569]: TLS[<2>]: ASSERT: x509.c:507
> ocserv[5569]: worker: IPIPIPIP:18930 sending message 'sm: auth init' to secmod
> ocserv[5550]: sec-mod: received request from pid 5569 and uid 65534
> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
> ocserv[5569]: common.c:316: recvmsg returned zero
> ocserv[5569]: worker: IPIPIPIP:18930 worker-auth.c:684: error receiving auth reply message
> ocserv[5569]: worker: IPIPIPIP:18930 worker-auth.c:1236: failed authentication for ''
> ocserv[5569]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
>
>
>
> sskaje
> http://sskaje.me/
> sskaje at gmail.com
>
>
>
> 在 2014年8月29日,14:34,Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> 写道:
>
>> On Thu, Aug 28, 2014 at 10:22 AM, sskaje <sskaje at gmail.com> wrote:
>>> Nikos,
>>> I have these in my config file:
>>>
>>> # grep group /opt/ocserv/etc/config |grep -v '^#'
>>> cert-group-oid = 2.5.4.11
>>> run-as-group = daemon
>>> config-per-group = /opt/ocserv/etc/config-per-group/
>>> default-group-config = /opt/ocserv/etc/defaults/group.conf
>>> select-group = vpn
>>> select-group = dnsonly
>>> default-select-group = vpn
>> ^^^^^
>>
>> I believe the above is what causes the issue. I've tried to clarified
>> what default-select-group is in the documentation. It is a virtual
>> group that allows a user to select the default assigned to him (in
>> case he belongs to multiple groups). The way you use it shouldn't do
>> any harm however, but it had the bug you noticed. It should be fixed
>> in the master branch now though.
>>
>> regards,
>> Nikos
>
More information about the openconnect-devel
mailing list