The client certificates I would like to use for ocserv are issued as part of another business process and I can't re-issue them. They don't have the usernames I would like to use embedded in them. They do have an email address as the SAN(rfc822name). I can see the username (email) getting extracted during the login process, however the anyconnect client then disconnects. I can't tell from the ocserv logs (running -d 9999) what the reason why is. When I think about what needs to happen however, I have specified the authentication of the certificate/user, but there's no location in the config where I give certain users authorization. How does that work? As an aside, I tried to use ocpasswd to create passwords for the email addresses associated with the certificates, however that doesn't seem to work either. Finally as a last resort, is it possible to do the certificate verification (meaning that they're issued by a trusted CA) only and then use the password for the actual authentication? Thanks, Matt
