server returns login form with client-provided invalid group instead of configured groups
Description of problem:
We have identified two technical issues:
- Group Caching: After the initial connection to the server, the client caches the selected group. Consequently, during subsequent login attempts, the user cannot select a different group from the list because only the cached group is displayed.
- Cross-Server Connection Failure: A more critical issue occurs when a user attempts to connect to a different ocserv server. The user is unable to select the correct group because the client automatically transmits the cached group by default, which may not exist on the secondary server.
Version of ocserv used:
root@AnyConnect:/usr/sbin# ocserv --version OpenConnect VPN Server 1.4.2
Compiled with: seccomp, tcp-wrappers, oath, radius, gssapi, PAM, PKCS#11, AnyConnect GnuTLS version: 3.8.9
Client used:
Any Clients
Distributor of ocserv
Manual build from git
How reproducible:
Describe the steps to reproduce the issue:
- build ocserv
- create configs
- test by CURL
Actual results:
return not exist group
config
auth = "plain[passwd=/etc/ocserv/passwd]"
config-per-group = /etc/ocserv/config-per-group
select-group = Default_Route
select-group = Except_BY/etc/ocserv/passwd
test_user:Default_Route,Except_BY:$5$6L...
testing
curl -v -X POST https://server.ip -d @123.txt
123.txt
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init" aggregate-auth-version="2">
<group-select>NotExistGroup</group-select>
</config-auth>answer from server
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request">
<version who="sg">0.1(1)</version>
<auth id="main">
<message>Please enter your username and password.</message>
<form method="post" action="/auth">
<input type="text" name="username" label="Username:" />
<input type="password" name="password" label="Password:" />
<select name="group_list" label="Group:">
<option value="NotExistGroup">NotExistGroup</option>
</select>
</form></auth>Expected results:
return all correct group
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request">
<version who="sg">0.1(1)</version>
<auth id="main">
<message>Please enter your username and password.</message>
<form method="post" action="/auth">
<input type="text" name="username" label="Username:" />
<input type="password" name="password" label="Password:" />
<select name="group_list" label="Group:">
<option value="Default_Route">Default_Route</option>
<option value="Except_BY">Except_BY</option>
</select>
</form></auth>Edited by Mikhail Khadarenka