summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJamie Austin <jamiea@opusv.com.au>2023-05-15 14:37:27 +1000
committerJamie Austin <jamiea@opusv.com.au>2023-05-17 15:27:34 +1000
commitaa77ce484afa1686a8638298ba6673468fdf7aa5 (patch)
treeb8b754097bbefa4150a145e26907973673ddb9a7
parent09696c680db55502476bdda0644f348d35bab533 (diff)
downloadvyos-documentation-aa77ce484afa1686a8638298ba6673468fdf7aa5.tar.gz
vyos-documentation-aa77ce484afa1686a8638298ba6673468fdf7aa5.zip
T3896: ocserv: openconnect: document identity based configuration
-rw-r--r--docs/configuration/vpn/openconnect.rst45
1 files changed, 45 insertions, 0 deletions
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index 1b4d4b4c..8479bcff 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -222,6 +222,51 @@ To display the configured OTP user settings, use the command:
show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri>
+Identity Based Configuration
+============================
+
+OpenConnect supports a subset of it's configuration options to be applied on a
+per user/group basis, for configuration purposes we refer to this functionality
+as "Identity based config". The following `OpenConnect Server Manual
+<https://ocserv.gitlab.io/www/manual.html#:~:text=Configuration%20files%20that%
+20will%20be%20applied%20per%20user%20connection%20or%0A%23%20per%20group>`_
+outlines the set of configuration options that are allowed. This can be
+leveraged to apply different sets of configs to different users or groups of
+users.
+
+.. code-block:: none
+
+ sudo mkdir -p /config/auth/ocserv/config-per-user
+ sudo touch /config/auth/ocserv/default-user.conf
+
+ set vpn set vpn openconnect authentication identity-based-config mode user
+ set vpn openconnect authentication identity-based-config directory /config/auth/ocserv/config-per-user
+ set vpn openconnect authentication identity-based-config default-config /config/auth/ocserv/default-user.conf
+
+.. warning:: The above directory and default-config must be a child directory
+of /config/auth, since files outside this directory are not persisted after an
+image upgrade.
+
+Once you commit the above changes you can create a config file in the
+/config/auth/ocserv/config-per-user directory that matches a username of a
+user you have created e.g. "tst". Now when logging in with the "tst" user the
+config options you set in this file will be loaded.
+
+Be sure to set a sane default config in the default config file, this will be
+loaded in the case that a user is authenticated and no file is found in the
+configured directory matching the users username/group.
+
+.. code-block:: node
+ sudo nano /config/auth/ocserv/config-per-user/tst
+
+The same configuration options apply when Identity based config is configured
+in group mode except that group mode can only be used with RADIUS
+authentication.
+
+.. warning:: OpenConnect server matches the filename in a case sensitive
+manner, make sure the username/group name you configure matches the
+filename exactly.
+
Configuring RADIUS accounting
=============================