groupconfig issue with Radius Authentication
Nirvana Wubian
wubian.trader at gmail.com
Mon Apr 3 10:52:28 PDT 2023
Hello
pardon me for my poor English.
I just configured the Openconnect server and it works very well. I
Thank you so much for creating such great software.
my problem is If I add "class" attribute in my Radius with "OU=group1"
it supposed to add user to group1 after authentication. but it won't
and disconnected wit this error:
"radius-auth: user 'user2' requested group 'group1' but is not a member"
this is my ocserv.conf file content:
############################################################################
auth = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=true]"
acct = "radius [config=/etc/radcli/radiusclient.conf,groupconfig=true]"
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "pam"
default-domain = server.myvpnserver.com
ipv4-network = 10.10.10.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 8.8.8.8
dns = 1.1.1.1
tcp-port = 443
server-cert = /etc/letsencrypt/live/server.myvpnserver.com/fullchain.pem
server-key = /etc/letsencrypt/live/server.myvpnserver.com/privkey.pem
keepalive = 300
max-same-clients = 10
rx-data-per-sec = 1200000
tx-data-per-sec = 1200000
#listen-proxy-proto = true
try-mtu-discovery = true
#user-profile = /path/to/file.xml
#config-per-group = /etc/ocserv/config-per-group/
#config-per-user = /etc/ocserv/config-per-user/
stats-report-time = 10
select-group = group1
#select-group = group4
#select-group = group8
auto-select-group = true
##########
run-as-user = nobody
run-as-group = daemon
socket-file = /run/ocserv.socket
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
isolate-workers = true
server-stats-reset-time = 604800
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 25
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
no-compress-limit = 256
tls-priorities =
"NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
device = vpns
predictable-ips = true
ping-leases = false
cisco-client-compat = true
dtls-legacy = true
############################################################################
If I don't add the "Class" attribute in my radius everything works
well but I need it. so is there any way I can use groupconfig with
radius authentication?
I Thank you so much in advanced.
Regards
More information about the openconnect-devel
mailing list