On Mon, May 19, 2014 at 4:59 PM, Kevin Cernekee <cernekee at gmail.com> wrote: >> Is that really necessary? It could be simply a warning message, as >> there are cases where a server may support more groups that the ones >> advertised. > On Cisco this could be done through a group-url. So instead of > entering a bare hostname, the user would enter something like > "https://vpn.foo.com/my-group-url";. The group-url namespace is > separate from the authgroup names used in the dropdown list, and so it > can include hidden groups. That looks like a lot of legacy craft and I'd like to avoid using the URL if possible. Even openconnect accepts differently the one type of group from the other (as I understand there is --usergroup and --authgroup). > More recently we also saw a case where fields in the client cert were > used to select the group. That is supported in ocserv too. > These options are described here: > http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html > If ocserv asked the user to manually enter an authgroup name that was > not listed in the dialog, it would cause trouble for most/all GUI > clients. I see, but I'd like to simplify the group selection by not adding any cisco legacy cruft. I'll experiment a bit with that. regards, Nikos
