diff options
author | Jamie Austin <jamiea@opusv.com.au> | 2023-05-15 14:37:27 +1000 |
---|---|---|
committer | Jamie Austin <jamiea@opusv.com.au> | 2023-05-17 15:27:34 +1000 |
commit | aa77ce484afa1686a8638298ba6673468fdf7aa5 (patch) | |
tree | b8b754097bbefa4150a145e26907973673ddb9a7 | |
parent | 09696c680db55502476bdda0644f348d35bab533 (diff) | |
download | vyos-documentation-aa77ce484afa1686a8638298ba6673468fdf7aa5.tar.gz vyos-documentation-aa77ce484afa1686a8638298ba6673468fdf7aa5.zip |
T3896: ocserv: openconnect: document identity based configuration
-rw-r--r-- | docs/configuration/vpn/openconnect.rst | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst index 1b4d4b4c..8479bcff 100644 --- a/docs/configuration/vpn/openconnect.rst +++ b/docs/configuration/vpn/openconnect.rst @@ -222,6 +222,51 @@ To display the configured OTP user settings, use the command: show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri> +Identity Based Configuration +============================ + +OpenConnect supports a subset of it's configuration options to be applied on a +per user/group basis, for configuration purposes we refer to this functionality +as "Identity based config". The following `OpenConnect Server Manual +<https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that% +20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_ +outlines the set of configuration options that are allowed. This can be +leveraged to apply different sets of configs to different users or groups of +users. + +.. code-block:: none + + sudo mkdir -p /config/auth/ocserv/config-per-user + sudo touch /config/auth/ocserv/default-user.conf + + set vpn set vpn openconnect authentication identity-based-config mode user + set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user + set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf + +.. warning:: The above directory and default-config must be a child directory +of /config/auth, since files outside this directory are not persisted after an +image upgrade. + +Once you commit the above changes you can create a config file in the +/config/auth/ocserv/config-per-user directory that matches a username of a +user you have created e.g. "tst". Now when logging in with the "tst" user the +config options you set in this file will be loaded. + +Be sure to set a sane default config in the default config file, this will be +loaded in the case that a user is authenticated and no file is found in the +configured directory matching the users username/group. + +.. code-block:: node + sudo nano /config/auth/ocserv/config-per-user/tst + +The same configuration options apply when Identity based config is configured +in group mode except that group mode can only be used with RADIUS +authentication. + +.. warning:: OpenConnect server matches the filename in a case sensitive +manner, make sure the username/group name you configure matches the +filename exactly. + Configuring RADIUS accounting ============================= |