On Wed, Dec 16, 2015 at 11:53 AM, yick xie <yick.xie at gmail.com> wrote:
> Hello,
> I set up the group config, which worked well with the radius, while
> the Anyconnect client cannot select a group using a certificate. No
> matter whether "cert-group-oid" enabled or the client certificate was
> generated with a OU name, the client always bypassed the group select.
> Hence I just inquire is it possible to allow the certificate user to
> choose a group like radius users, they could belong to several groups.
>
> My config option:
> auth = "radius[config=/etc/radiusclient/radiusclient.conf]"
> enable-auth = certificate
> select-group = group1
> select-group = group2
> auto-select-group = false
> config-per-group = /etc/ocserv/config-per-group/
When you use certificates, all the groups that the user has access to
must be listed in the certificate. That is, when you generate it you
must specify all the groups as organizational units ("ou"), or any
other oid you like. For that to work you need to specify
cert-group-oid in the ocserv configuration as well.
regards,
Nikos
