free choice of authgroups
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Mon May 19 08:21:26 PDT 2014
On Mon, May 19, 2014 at 4:59 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
>> Is that really necessary? It could be simply a warning message, as
>> there are cases where a server may support more groups that the ones
>> advertised.
> On Cisco this could be done through a group-url. So instead of
> entering a bare hostname, the user would enter something like
> "https://vpn.foo.com/my-group-url". The group-url namespace is
> separate from the authgroup names used in the dropdown list, and so it
> can include hidden groups.
That looks like a lot of legacy craft and I'd like to avoid using the
URL if possible. Even openconnect accepts differently the one type of
group from the other (as I understand there is --usergroup and
--authgroup).
> More recently we also saw a case where fields in the client cert were
> used to select the group.
That is supported in ocserv too.
> These options are described here:
> http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
> If ocserv asked the user to manually enter an authgroup name that was
> not listed in the dialog, it would cause trouble for most/all GUI
> clients.
I see, but I'd like to simplify the group selection by not adding any
cisco legacy cruft. I'll experiment a bit with that.
regards,
Nikos
More information about the openconnect-devel
mailing list