free choice of authgroups
Kevin Cernekee
cernekee at gmail.com
Mon May 19 07:59:27 PDT 2014
On Mon, May 19, 2014 at 6:01 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> Hello,
> I am implementing the ability to allow selecting a group on login
> with ocserv, and I realized that the authgroup option of openconnect
> is limited to the list provided by the server. For example if server
> advertises group1 and group3, and I specify group2, I get:
> Auth choice "group2" not available.
>
> Is that really necessary? It could be simply a warning message, as
> there are cases where a server may support more groups that the ones
> advertised.
On Cisco this could be done through a group-url. So instead of
entering a bare hostname, the user would enter something like
"https://vpn.foo.com/my-group-url". The group-url namespace is
separate from the authgroup names used in the dropdown list, and so it
can include hidden groups.
More recently we also saw a case where fields in the client cert were
used to select the group.
These options are described here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
If ocserv asked the user to manually enter an authgroup name that was
not listed in the dialog, it would cause trouble for most/all GUI
clients.
More information about the openconnect-devel
mailing list