This option supports different listen addresses for tcp and
udp such as haproxy for tcp, but support dtls at the same time (haproxy
does not support UDP at the moment)
When a user explicitly disconnects after the session is open,
cleanup its entry immediatelly. That ensures that a radius
server will be notified sooner, while anyconnect clients which
disconnect early (before session is open), remain unaffected.
Resolves: #210
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
This clarifies how cookies are expired, and how they affect
session accounting in radius.
Relates #166
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This provides virtualized server configurations which take
effect after client connection when client hello is received.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That eliminates the need for autogen and also combines
doc/sample.config and manpage contents. Now the doc/sample.config
is the primary config documentation location.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This still prevents abuse, while allowing few more attempts than 5, which
are typically easily reached through software which remembers passwords.
At the same time increase the default ban time to 20 minutes.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This is needed to be able to retreive email from the Subject
Alternative Name from the certificate.
Signed-off-by: Johannes Sjøkvist <johannes@konsept-it.no>
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, if the header contains "android" or "apple-ios" mark it as
a mobile client. The header X-AnyConnect-Identifier-DeviceType is only
considered for logging purposes and appended to the user-agent name
if present.
When this option is set to false, the DTLS-PSK protocol
will not be negotiated by worker processes. The process will fallback
to the legacy protocol in that case.
That when enable, it will prevent any DTLS negotiation other than the
DTLS-PSK, and will ensure that the cipher/mac combination matches on
the TLS and DTLS connections. The cisco-client-compat config option
when disabled, it will disable the pre-draft-DTLS negotiation.
Disable MTU discovery when not requested, set the minimum packet size
to 1280 for IPv6 and 800 bytes for IPv4. When MTU discovery fails to
calculate an MTU over the minimum, it disables itself and ocserv will rely
on packet fragmentation. This also enhances DTLS connection detection
(due to MTU issues), by setting the DPD packet size to equal to the current
data MTU.
That is, do not allow radius' groupconfig=true option to be combined
with config-per-user/group. This reduces frustration since these options
are incompatible.
