On Mon, Feb 3, 2014 at 11:54 AM, David Woodhouse <dwmw2 at infradead.org> wrote: >>> Is it possible to let ocserv to authenticate iOS client with "auto >>> certificate" option? >> Could you elaborate on what is this option supposed to do? > I'd guess it lets you authenticate with a password as a one-off, and > provisons a certificate with SCEP? That sounds interesting. One could use something like that to allow users to self-initialize a smart card (or a secure element in a mobile) with a key for a specific server that will pin the user. However it seems that SCEP is marked as historic [0]. Is there any new protocol replacing it? Does openconnect support scep? [0]. http://tools.ietf.org/html/draft-nourse-scep-23 On Mon, Feb 3, 2014 at 11:58 AM, Steve <steve at thupdi.net> wrote: >>> Is it possible to let ocserv to authenticate iOS client with "auto >>> certificate" option? >> Could you elaborate on what is this option supposed to do? > Just like below I said, iOS anyconnect could connect to ASA server > without manually client cert installed... I'll have to see the protocol, but having captures of this exchange would be necessary to evaluate it. btw. what happens if a user connects without the certificate when he was assigned one? regards, Nikos
