How to select a group using certificates
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed Dec 16 07:36:03 PST 2015
On Wed, Dec 16, 2015 at 11:53 AM, yick xie <yick.xie at gmail.com> wrote:
> Hello,
> I set up the group config, which worked well with the radius, while
> the Anyconnect client cannot select a group using a certificate. No
> matter whether "cert-group-oid" enabled or the client certificate was
> generated with a OU name, the client always bypassed the group select.
> Hence I just inquire is it possible to allow the certificate user to
> choose a group like radius users, they could belong to several groups.
>
> My config option:
> auth = "radius[config=/etc/radiusclient/radiusclient.conf]"
> enable-auth = certificate
> select-group = group1
> select-group = group2
> auto-select-group = false
> config-per-group = /etc/ocserv/config-per-group/
When you use certificates, all the groups that the user has access to
must be listed in the certificate. That is, when you generate it you
must specify all the groups as organizational units ("ou"), or any
other oid you like. For that to work you need to specify
cert-group-oid in the ocserv configuration as well.
regards,
Nikos
More information about the openconnect-devel
mailing list