summaryrefslogtreecommitdiff
path: root/docs/configuration/vpn/openconnect.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/vpn/openconnect.rst')
-rw-r--r--docs/configuration/vpn/openconnect.rst41
1 files changed, 39 insertions, 2 deletions
diff --git a/docs/configuration/vpn/openconnect.rst b/docs/configuration/vpn/openconnect.rst
index 7a279472..1b4d4b4c 100644
--- a/docs/configuration/vpn/openconnect.rst
+++ b/docs/configuration/vpn/openconnect.rst
@@ -48,7 +48,7 @@ Server Configuration
set vpn openconnect authentication local-users username <user> password <pass>
set vpn openconnect authentication mode <local password|radius>
- set vpn opneconnect network-settings client-ip-settings subnet <subnet>
+ set vpn openconnect network-settings client-ip-settings subnet <subnet>
set vpn openconnect network-settings name-server <address>
set vpn openconnect network-settings name-server <address>
set vpn openconnect ssl ca-certificate <pki-ca-name>
@@ -56,7 +56,7 @@ Server Configuration
set vpn openconnect ssl passphrase <pki-password>
2FA OTP support
-====================
+===============
Instead of password only authentication, 2FA password
authentication + OTP key can be used. Alternatively, OTP authentication only,
@@ -215,3 +215,40 @@ and then the OTP key.
.. warning:: When using Time-based one-time password (TOTP) (OTP HOTP-time),
be sure that the time on the server and the
OTP token generator are synchronized by NTP
+
+To display the configured OTP user settings, use the command:
+
+.. code-block:: none
+
+ show openconnect-server user <username> otp <full|key-b32|key-hex|qrcode|uri>
+
+Configuring RADIUS accounting
+=============================
+
+OpenConnect can be configured to send accounting information to a
+RADIUS server to capture user session data such as time of
+connect/disconnect, data transferred, and so on.
+
+Configure an accounting server and enable accounting with:
+
+.. code-block:: none
+
+ set vpn openconnect accounting mode radius
+ set vpn openconnect accounting radius server 172.20.20.10
+ set vpn openconnect accounting radius server 172.20.20.10 port 1813
+ set vpn openconnect accounting radius server 172.20.20.10 key your_radius_secret
+
+.. warning:: The RADIUS accounting feature must be used with the OpenConnect
+ authentication mode RADIUS. It cannot be used with local authentication.
+ You must configure the OpenConnect authentication mode to "radius".
+
+An example of the data captured by a FREERADIUS server with sql accounting:
+
+.. code-block:: none
+
+ mysql> SELECT username, nasipaddress, acctstarttime, acctstoptime, acctinputoctets, acctoutputoctets, callingstationid, framedipaddress, connectinfo_start FROM radacct;
+ +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
+ | username | nasipaddress | acctstarttime | acctstoptime | acctinputoctets | acctoutputoctets | callingstationid | framedipaddress | connectinfo_start |
+ +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+
+ | test | 198.51.100.15 | 2023-01-13 00:59:15 | 2023-01-13 00:59:21 | 10606 | 152 | 192.168.6.1 | 172.20.20.198 | Open AnyConnect VPN Agent v8.05-1 |
+ +----------+---------------+---------------------+---------------------+-----------------+------------------+-------------------+-----------------+-----------------------------------+