Hello, I am in the process of testing ocserv with cisco Anyconnect compatibility. It seems to work using local passwords and with radius authentication if using a single profile. However, while testing using radius and specifying which group policy should be used for a login, it would seem that alternate groups that would specify what routes should be used is not working.
Here is an example of how I am testing this vs how it is working on a cisco ASA. User1 - Normal user with split tunnel User2 - User with tunnel all traffic User3 - User restricted to split tunnel with only 1 /24 tunneled route. User1 logs in on Cisco and gets routes a, b, c, d, e, and f tunneled and all others use local network connection. User1 logs in on ocserv and the same works as this is a default profile. User2 - logs in on Cisco and all traffic is tunneled. User2 - tries to login on ocserv and login fails. User3 - logs in on Cisco and gets a x.x.x.x/24 tunneled and all others use local network connection. User3 - tries to login on ocserv and login fails. Radius does send the group policy that should be associated to the user. Pulled from a tcpdump packet capture below. Class Attribute (25), length: 21, Value: Co1-Intranet-Policy So my main question is how can I setup ocserv to receive these class attributes and use them to specify what routes the user should have tunneled? I am running version 1.3.0 Best, -Troy _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
