ocserv: user group not assigned when using certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Forget to reply all. 

? 2014?8?29??15:05?sskaje <sskaje at gmail.com> ???

> Nicos, 
> I pulled your latest commit and changed config:
> 
> # grep group  /opt/ocserv/etc/config |grep -v '^#'
> cert-group-oid = 2.5.4.11
> run-as-group = daemon
> config-per-group = /opt/ocserv/etc/config-per-group/
> default-group-config = /opt/ocserv/etc/defaults/group.conf
> select-group = vpn
> select-group = dnsonly
> default-select-group = DEFAULT
> auto-select-group = true
> 
> 
> auto-select-group was set both true and false for testing, same result.
> 
> Then I removed all mobileconfig on iPhone and remove Cisco AnyConnect App, then installed both.
> 
> The first time I tried to establish connection on cn=sskaje, a group selection was prompted again, and this time I picked group=vpn, connected.
> Disconnect and choose to connect with cn=dnsonly, failed. 
> error:
> 
> 
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept: */*
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept-Encoding: identity
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Aggregate-Auth: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Connection: close
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Length: 353
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Type: application/x-www-form-urlencoded
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP POST /
> ocserv[5568]: worker: IPIPIPIP:18887 POST body: '<?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
> <version who="vpn">3.0.09440</version>
> <group-select>vpn</group-select>
> <group-access>https://sskaje.me:PORT/</group-access>
> </config-auth>
> '
> ocserv[5568]: TLS[<2>]: ASSERT: common.c:1792
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:310
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:420
> ocserv[5568]: TLS[<2>]: ASSERT: x509.c:507
> ocserv[5568]: worker: IPIPIPIP:18887 sending message 'sm: auth init' to secmod
> ocserv[5550]: sec-mod: received request from pid 5568 and uid 65534
> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
> ocserv[5568]: common.c:316: recvmsg returned zero
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:684: error receiving auth reply message
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:1236: failed authentication for ''
> ocserv[5568]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
> ocserv[5568]: TLS[<9>]: ENC[0x176b060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
> 
> ....
> 
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept: */*
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Accept-Encoding: identity
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Transcend-Version: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-ClientVersion: 3.0.09440
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Platform: apple-ios
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-PlatformVersion: 7.1.2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: X-Aggregate-Auth: 1
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Connection: close
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Length: 353
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP: Content-Type: application/x-www-form-urlencoded
> ocserv[5568]: worker: IPIPIPIP:18887 HTTP POST /
> ocserv[5568]: worker: IPIPIPIP:18887 POST body: '<?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
> <version who="vpn">3.0.09440</version>
> <group-select>vpn</group-select>
> <group-access>https://sskaje.me:PORT/</group-access>
> </config-auth>
> '
> ocserv[5568]: TLS[<2>]: ASSERT: common.c:1792
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:310
> ocserv[5568]: TLS[<2>]: ASSERT: dn.c:420
> ocserv[5568]: TLS[<2>]: ASSERT: x509.c:507
> ocserv[5568]: worker: IPIPIPIP:18887 sending message 'sm: auth init' to secmod
> ocserv[5550]: sec-mod: received request from pid 5568 and uid 65534
> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
> ocserv[5568]: common.c:316: recvmsg returned zero
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:684: error receiving auth reply message
> ocserv[5568]: worker: IPIPIPIP:18887 worker-auth.c:1236: failed authentication for ''
> ocserv[5568]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
> ocserv[5568]: TLS[<9>]: ENC[0x176b060]: cipher: AES-128-CBC, MAC: SHA1, Epoch: 1
> 
> ....
> 
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-AnyConnect-Identifier-DeviceType: iPhone6,2
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-AnyConnect-Identifier-Device-UniqueID: UIDUIDUIDUID
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: X-Aggregate-Auth: 1
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Connection: close
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Content-Length: 353
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP: Content-Type: application/x-www-form-urlencoded
> ocserv[5569]: worker: IPIPIPIP:18930 HTTP POST /
> ocserv[5569]: worker: IPIPIPIP:18930 POST body: '<?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init">
> <device-id platform-version="7.1.2" device-type="iPhone6,2" unique-id="UIDUIDUIDUID">apple-ios</device-id>
> <version who="vpn">3.0.09440</version>
> <group-select>vpn</group-select>
> <group-access>https://sskaje.me:PORT/</group-access>
> </config-auth>
> '
> ocserv[5569]: TLS[<2>]: ASSERT: common.c:1792
> ocserv[5569]: TLS[<2>]: ASSERT: dn.c:310
> ocserv[5569]: TLS[<2>]: ASSERT: dn.c:420
> ocserv[5569]: TLS[<2>]: ASSERT: x509.c:507
> ocserv[5569]: worker: IPIPIPIP:18930 sending message 'sm: auth init' to secmod
> ocserv[5550]: sec-mod: received request from pid 5569 and uid 65534
> ocserv[5550]: sec-mod: cmd [size=47] sm: auth init
> ocserv[5550]: sec-mod: user '' requested group 'vpn' but is not included on his certificate groups
> ocserv[5550]: sec-mod: error processing data for 'sm: auth init' command (-1)
> ocserv[5569]: common.c:316: recvmsg returned zero
> ocserv[5569]: worker: IPIPIPIP:18930 worker-auth.c:684: error receiving auth reply message
> ocserv[5569]: worker: IPIPIPIP:18930 worker-auth.c:1236: failed authentication for ''
> ocserv[5569]: TLS[<4>]: REC[0x176b060]: Preparing Packet Application Data(23) with length: 62 and min pad: 0
> 
> 
> 
> sskaje
> http://sskaje.me/
> sskaje at gmail.com
> 
> 
> 
> ? 2014?8?29??14:34?Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> ???
> 
>> On Thu, Aug 28, 2014 at 10:22 AM, sskaje <sskaje at gmail.com> wrote:
>>> Nikos,
>>> I have these in my config file:
>>> 
>>> # grep group  /opt/ocserv/etc/config |grep -v '^#'
>>> cert-group-oid = 2.5.4.11
>>> run-as-group = daemon
>>> config-per-group = /opt/ocserv/etc/config-per-group/
>>> default-group-config = /opt/ocserv/etc/defaults/group.conf
>>> select-group = vpn
>>> select-group = dnsonly
>>> default-select-group = vpn
>>  ^^^^^
>> 
>> I believe the above is what causes the issue. I've tried to clarified
>> what default-select-group is in the documentation. It is a virtual
>> group that allows a user to select the default assigned to him (in
>> case he belongs to multiple groups). The way you use it shouldn't do
>> any harm however, but it had the bug you noticed. It should be fixed
>> in the master branch now though.
>> 
>> regards,
>> Nikos
> 




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux