iOS anyconnect certificate auth?
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Feb 3 07:12:07 EST 2014
On Mon, Feb 3, 2014 at 11:54 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
>>> Is it possible to let ocserv to authenticate iOS client with "auto
>>> certificate" option?
>> Could you elaborate on what is this option supposed to do?
> I'd guess it lets you authenticate with a password as a one-off, and
> provisons a certificate with SCEP?
That sounds interesting. One could use something like that to allow
users to self-initialize a smart card (or a secure element in a
mobile) with a key for a specific server that will pin the user.
However it seems that SCEP is marked as historic [0]. Is there any new
protocol replacing it? Does openconnect support scep?
[0]. http://tools.ietf.org/html/draft-nourse-scep-23
On Mon, Feb 3, 2014 at 11:58 AM, Steve <steve at thupdi.net> wrote:
>>> Is it possible to let ocserv to authenticate iOS client with "auto
>>> certificate" option?
>> Could you elaborate on what is this option supposed to do?
> Just like below I said, iOS anyconnect could connect to ASA server
> without manually client cert installed...
I'll have to see the protocol, but having captures of this exchange
would be necessary to evaluate it.
btw. what happens if a user connects without the certificate when he
was assigned one?
regards,
Nikos
More information about the openconnect-devel
mailing list