On Wed, Apr 5, 2017 at 6:13 PM, Matthew Zimmerman <mzimmerman at gmail.com> wrote: > The client certificates I would like to use for ocserv are issued as > part of another business process and I can't re-issue them. They > don't have the usernames I would like to use embedded in them. They > do have an email address as the SAN(rfc822name). > I can see the username (email) getting extracted during the login > process, however the anyconnect client then disconnects. I can't tell > from the ocserv logs (running -d 9999) what the reason why is. > When I think about what needs to happen however, I have specified the > authentication of the certificate/user, but there's no location in the > config where I give certain users authorization. How does that work? If you only enable certificate authentication, the possession of a signed certificate is sufficient to access the server. You would need to utilize a rigorous process to issue certificates and revocation with CRLs to disable access. > As an aside, I tried to use ocpasswd to create passwords for the email > addresses associated with the certificates, however that doesn't seem > to work either. If you enable both certificate and password authentication, the presence in the password file will be required to access the server. > Finally as a last resort, is it possible to do the certificate > verification (meaning that they're issued by a trusted CA) only and > then use the password for the actual authentication? Yes. It is a matter of how you combine the authentication methods. > Turns out this seems to be a compatability issue with the AnyConnect > client as when using the openconnect client on linux, I can > successfully connect with the certification authentication mode turned > on. That's interesting. Is that some new client? Did you try to enable the cisco client compatibility options on? Note that there is openconnect-gui as well, a windows client for ocserv. regards, Nikos
