Hello, I set up the group config, which worked well with the radius, while the Anyconnect client cannot select a group using a certificate. No matter whether "cert-group-oid" enabled or the client certificate was generated with a OU name, the client always bypassed the group select. Hence I just inquire is it possible to allow the certificate user to choose a group like radius users, they could belong to several groups. My config option: auth = "radius[config=/etc/radiusclient/radiusclient.conf]" enable-auth = certificate select-group = group1 select-group = group2 auto-select-group = false config-per-group = /etc/ocserv/config-per-group/ /etc/ocserv/config-per-group/group1 include ipv4-network and ipv4-netmask config /etc/ocserv/config-per-group/group2 include ipv4-network and ipv4-netmask config Regards, Yick