Turns out this seems to be a compatability issue with the AnyConnect client as when using the openconnect client on linux, I can successfully connect with the certification authentication mode turned on. On Wed, Apr 5, 2017 at 11:57 AM, Matthew Zimmerman <mzimmerman at gmail.com> wrote: > The client certificates I would like to use for ocserv are issued as part of > another business process and I can't re-issue them. They don't have the > usernames I would like to use embedded in them. They do have an email > address as the SAN(rfc822name). > > I can see the username (email) getting extracted during the login process, > however the anyconnect client then disconnects. I can't tell from the > ocserv logs (running -d 9999) what the reason why is. > > When I think about what needs to happen however, I have specified the > authentication of the certificate/user, but there's no location in the > config where I give certain users authorization. How does that work? > > As an aside, I tried to use ocpasswd to create passwords for the email > addresses associated with the certificates, however that doesn't seem to > work either. > > Finally as a last resort, is it possible to do the certificate verification > (meaning that they're issued by a trusted CA) only and then use the password > for the actual authentication? > > Thanks, > Matt > >
