[Fwd: RFP: NetworkManager-openconnect - A Feature Request setting group in vpn config]

From: Dan Williams <dcbw redhat com>
To: networkmanager-list gnome org
Subject: [Fwd: RFP: NetworkManager-openconnect - A Feature Request setting group in vpn config]
Date: Wed, 13 Jan 2016 15:56:00 -0600

-------- Forwarded Message --------
From: Riku Meskanen <riku h meskanen jyu fi>
To: Dan Williams <dcbw redhat com>, David Zeuthen <davidz redhat com>,
David Woodhouse <dwmw2 infradead org>
Subject: RFP: NetworkManager-openconnect - A Feature Request setting
group in vpn config
Date: Sun, 20 Dec 2015 22:48:51 +0200

Hello,

[ Let me first apologise contacting you directly as your contacts are
in AUTHORS file of the NetworkManager-openconnect-1.0.8 package. And I
did not find a more appropriate place where to post this question and
request. Let me know if there is an address for this kind of message
for this piece of software, please. ]

OK, there’s a very useful feature in Cisco Anyconnect client I'm
wishing would be a very useful feature to add in NetworkManager
-openconnect too.

The feature in question is being able to specify the vpn group in
connection config instead using drop-down list while in login window.

It may not be first hand obvious why, sure, but let me explain bit
more.

It is possible to have some groups that are not published (visible in
dropdown) and are still perfectly work with Anyconnect Client.

The trick is to simply appending group name to the vpn server URL ie. 
https://vpn-server/group-name :)

The openconnect CLI does have a bit different syntax, it uses -g switch
but it works also as advertised which is great.

But a bit more about the feature. That is a very useful feature indeed.
It let’s us share one/single/same vpn-service with users that are given
right to access public groups, but also lets us have also non public
vpn groups for more limited use.

Cisco’s documentation and examples about the matter are bit candid
about the matter, but following config snippet may explain it better.

...
tunnel-group student webvpn-attributes
 group-alias student enable
 group-url https://vpn.domain.org/student enable
...

And the Cisco’s documentation about those directives.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/v
pn/asa_91_vpn_config/vpn_groups.html#pgfId-1042120

It’s the "group-alias student enable” above which publishes the group
so that it appears on dropdown list to choose from, but incase we don’t
want to publish for example sysadmin group then we drop that group
-alias line ...

...
tunnel-group sysadmin webvpn-attributes
 group-url https://vpn.domain.org/sysadmin enable
...

That will let sysadmins log in knowing that they connect 
https://vpn.domain.org/sysadmin using Anyconnect or they  can of course
instead use openconnect using command line or some tiny script like
below

#!/bin/sh
#
#
URL=https://vpn.domain.org/
GROUP=vpn-group-here
USER=login-name
PASSWD='password'

echo "$PASSWD" | sudo openconnect -s /etc/vpnc/vpnc-script \
   -g $GROUP -u $USER --passwd-on-stdin $URL

# eof

So the group select feature is there already in CLI version, but in GUI
there is no way setting that group.

Thus my humble request is. Would it be possible to add that feature in
upcoming versions ? 

It would have been great if I had been able to provide you patches, but
the fact is that I haven’t my self developed GUI code to Gnome
or any of these new desktops and I’m far too busy with networking and
other tasks that I would have time to delve in this kind of venture in
foreseeable future.

Cheers,

:-) riku

-- 
Riku Meskanen
University of Jyväskylä
IT Services
email: riku meskanen jyu fi

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]