free choice of authgroups
Steve
steve at thupdi.net
Mon May 19 15:33:20 PDT 2014
Hi, I saw it done at 4755ee48c56dcb672ddcbcba4362f08eecf04a11 :)
Does it support authentication certificate with multi OU?
On Mon, May 19, 2014 at 11:21 PM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Mon, May 19, 2014 at 4:59 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
>>> Is that really necessary? It could be simply a warning message, as
>>> there are cases where a server may support more groups that the ones
>>> advertised.
>> On Cisco this could be done through a group-url. So instead of
>> entering a bare hostname, the user would enter something like
>> "https://vpn.foo.com/my-group-url". The group-url namespace is
>> separate from the authgroup names used in the dropdown list, and so it
>> can include hidden groups.
>
> That looks like a lot of legacy craft and I'd like to avoid using the
> URL if possible. Even openconnect accepts differently the one type of
> group from the other (as I understand there is --usergroup and
> --authgroup).
>
>> More recently we also saw a case where fields in the client cert were
>> used to select the group.
>
> That is supported in ocserv too.
>
>> These options are described here:
>> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
>> If ocserv asked the user to manually enter an authgroup name that was
>> not listed in the dialog, it would cause trouble for most/all GUI
>> clients.
>
> I see, but I'd like to simplify the group selection by not adding any
> cisco legacy cruft. I'll experiment a bit with that.
>
> regards,
> Nikos
>
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel
More information about the openconnect-devel
mailing list