ocserv: user group not assigned when using certificate authentication

sskaje sskaje at gmail.com
Fri Aug 29 00:14:04 PDT 2014


I retried again.
This time a group named DEFAULT shown, I picked that and everything works fine now.

Thank you Nikos.

sskaje
http://sskaje.me/
sskaje at gmail.com



在 2014年8月29日,15:08,sskaje <sskaje at gmail.com> 写道:

> Forget to reply all. 
> 
> 在 2014年8月29日,15:05,sskaje <sskaje at gmail.com> 写道:
> 
>> Nicos, 
>> I pulled your latest commit and changed config:
>> 
>> # grep group  /opt/ocserv/etc/config |grep -v '^#'
>> cert-group-oid = 2.5.4.11
>> run-as-group = daemon
>> config-per-group = /opt/ocserv/etc/config-per-group/
>> default-group-config = /opt/ocserv/etc/defaults/group.conf
>> select-group = vpn
>> select-group = dnsonly
>> default-select-group = DEFAULT
>> auto-select-group = true
>> 
>> 
>> auto-select-group was set both true and false for testing, same result.
>> 
>> Then I removed all mobileconfig on iPhone and remove Cisco AnyConnect App, then installed both.
>> 
>> The first time I tried to establish connection on cn=sskaje, a group selection was prompted again, and this time I picked group=vpn, connected.
>> Disconnect and choose to connect with cn=dnsonly, failed. 
>> error:
>> 
>> 
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept: */*
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept-Encoding: identity
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Aggregate-Auth: 1
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Connection: close
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Length: 353
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Type: application/x-www-form-urlencoded
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP POST /
>> ocserv[5568]: worker: IPIPIPIP:18887 POST body: '<?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init">
>> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
>> <version who="vpn">3.0.09440</version>
>> <group-select>vpn</group-select>
>> <group-access>https://sskaje.me:PORT/</group-access>
>> </config-auth>
>> '
>> ocserv[5568]: TLS[<2>]: ASSERT: common.c:1792
>> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:310
>> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:420
>> ocserv[5568]: TLS[<2>]: ASSERT: x509.c:507
>> ocserv[5568]: worker: IPIPIPIP:18887 sending message 'sm: auth init' to secmod
>> ocserv[5550]: sec-mod: received request from pid 5568 and uid 65534
>> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
>> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
>> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
>> ocserv[5568]: common.c:316: recvmsg returned zero
>> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:684: error receiving auth reply message
>> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:1236: failed authentication for ''
>> ocserv[5568]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
>> ocserv[5568]: TLS[<9>]: ENC[0x176b060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
>> 
>> ....
>> 
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept: */*
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept-Encoding: identity
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Aggregate-Auth: 1
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Connection: close
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Length: 353
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Type: application/x-www-form-urlencoded
>> ocserv[5568]: worker: IPIPIPIP:18887 HTTP POST /
>> ocserv[5568]: worker: IPIPIPIP:18887 POST body: '<?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init">
>> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
>> <version who="vpn">3.0.09440</version>
>> <group-select>vpn</group-select>
>> <group-access>https://sskaje.me:PORT/</group-access>
>> </config-auth>
>> '
>> ocserv[5568]: TLS[<2>]: ASSERT: common.c:1792
>> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:310
>> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:420
>> ocserv[5568]: TLS[<2>]: ASSERT: x509.c:507
>> ocserv[5568]: worker: IPIPIPIP:18887 sending message 'sm: auth init' to secmod
>> ocserv[5550]: sec-mod: received request from pid 5568 and uid 65534
>> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
>> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
>> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
>> ocserv[5568]: common.c:316: recvmsg returned zero
>> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:684: error receiving auth reply message
>> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:1236: failed authentication for ''
>> ocserv[5568]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
>> ocserv[5568]: TLS[<9>]: ENC[0x176b060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
>> 
>> ....
>> 
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-Aggregate-Auth: 1
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Connection: close
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Content-Length: 353
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Content-Type: application/x-www-form-urlencoded
>> ocserv[5569]: worker: IPIPIPIP:18930 HTTP POST /
>> ocserv[5569]: worker: IPIPIPIP:18930 POST body: '<?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init">
>> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
>> <version who="vpn">3.0.09440</version>
>> <group-select>vpn</group-select>
>> <group-access>https://sskaje.me:PORT/</group-access>
>> </config-auth>
>> '
>> ocserv[5569]: TLS[<2>]: ASSERT: common.c:1792
>> ocserv[5569]: TLS[<2>]: ASSERT: dn.c:310
>> ocserv[5569]: TLS[<2>]: ASSERT: dn.c:420
>> ocserv[5569]: TLS[<2>]: ASSERT: x509.c:507
>> ocserv[5569]: worker: IPIPIPIP:18930 sending message 'sm: auth init' to secmod
>> ocserv[5550]: sec-mod: received request from pid 5569 and uid 65534
>> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
>> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
>> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
>> ocserv[5569]: common.c:316: recvmsg returned zero
>> ocserv[5569]: worker: IPIPIPIP:18930 worker-auth.c:684: error receiving auth reply message
>> ocserv[5569]: worker: IPIPIPIP:18930 worker-auth.c:1236: failed authentication for ''
>> ocserv[5569]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
>> 
>> 
>> 
>> sskaje
>> http://sskaje.me/
>> sskaje at gmail.com
>> 
>> 
>> 
>> 在 2014年8月29日,14:34,Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> 写道:
>> 
>>> On Thu, Aug 28, 2014 at 10:22 AM, sskaje <sskaje at gmail.com> wrote:
>>>> Nikos,
>>>> I have these in my config file:
>>>> 
>>>> # grep group  /opt/ocserv/etc/config |grep -v '^#'
>>>> cert-group-oid = 2.5.4.11
>>>> run-as-group = daemon
>>>> config-per-group = /opt/ocserv/etc/config-per-group/
>>>> default-group-config = /opt/ocserv/etc/defaults/group.conf
>>>> select-group = vpn
>>>> select-group = dnsonly
>>>> default-select-group = vpn
>>> ^^^^^
>>> 
>>> I believe the above is what causes the issue. I've tried to clarified
>>> what default-select-group is in the documentation. It is a virtual
>>> group that allows a user to select the default assigned to him (in
>>> case he belongs to multiple groups). The way you use it shouldn't do
>>> any harm however, but it had the bug you noticed. It should be fixed
>>> in the master branch now though.
>>> 
>>> regards,
>>> Nikos
>> 
> 




More information about the openconnect-devel mailing list