On Mon, May 19, 2014 at 6:01 AM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote: > Hello, > I am implementing the ability to allow selecting a group on login > with ocserv, and I realized that the authgroup option of openconnect > is limited to the list provided by the server. For example if server > advertises group1 and group3, and I specify group2, I get: > Auth choice "group2" not available. > > Is that really necessary? It could be simply a warning message, as > there are cases where a server may support more groups that the ones > advertised. On Cisco this could be done through a group-url. So instead of entering a bare hostname, the user would enter something like "https://vpn.foo.com/my-group-url";. The group-url namespace is separate from the authgroup names used in the dropdown list, and so it can include hidden groups. More recently we also saw a case where fields in the client cert were used to select the group. These options are described here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html If ocserv asked the user to manually enter an authgroup name that was not listed in the dialog, it would cause trouble for most/all GUI clients.
