Certificates with password

Matthew Zimmerman mzimmerman at gmail.com
Wed Apr 5 10:42:38 PDT 2017


Turns out this seems to be a compatability issue with the AnyConnect
client as when using the openconnect client on linux, I can
successfully connect with the certification authentication mode turned
on.

On Wed, Apr 5, 2017 at 11:57 AM, Matthew Zimmerman <mzimmerman at gmail.com> wrote:
> The client certificates I would like to use for ocserv are issued as part of
> another business process and I can't re-issue them.  They don't have the
> usernames I would like to use embedded in them.  They do have an email
> address as the SAN(rfc822name).
>
> I can see the username (email) getting extracted during the login process,
> however the anyconnect client then disconnects.  I can't tell from the
> ocserv logs (running -d 9999) what the reason why is.
>
> When I think about what needs to happen however, I have specified the
> authentication of the certificate/user, but there's no location in the
> config where I give certain users authorization.  How does that work?
>
> As an aside, I tried to use ocpasswd to create passwords for the email
> addresses associated with the certificates, however that doesn't seem to
> work either.
>
> Finally as a last resort, is it possible to do the certificate verification
> (meaning that they're issued by a trusted CA) only and then use the password
> for the actual authentication?
>
> Thanks,
> Matt
>
>



More information about the openconnect-devel mailing list