Ad Schellevis

I don't mind adding an issuer, but I don't expect them to have a logo on their end....

@joggee-fr can you try https://github.com/opnsense/core/commit/12001a32f2605c7356c82f6ac26803d80a686fcd ? install via: ``` opnsense-patch 12001a3 ```

@L1ghtn1ng I suppose this PR relates to https://github.com/opnsense/core/issues/6195 or am I missing something?

I'll put it on my list of things todo to review and test this one.

not really, too busy with other work and not enough context on why we should do this.

I don't mind improving the situation, but someone needs to test this thoroughly, the modification should be consistent between legacy and mvc parts and should follow best practices (I can...

https://github.com/opnsense/core/blob/70d6dc03b8ef2f6177bf071b9bec5015a593c0cf/src/etc/inc/plugins.inc.d/openvpn.inc#L672 Is probably what you’re looking for, it’s unlikely cso’s don’t work at all, but the logs will tell you what the server did (auth sequence and cso matching). Usually...

I don’t expect that, haven’t seen it either. If I’m not mistaken the (official) radius auth uses the same spot. When using authentication, you can’t know the full picture unit...

When properly matched, the log should contain: https://github.com/opnsense/core/blob/98878a9eb90c1150b232bfbc7e9a012a3e3462a0/src/opnsense/scripts/openvpn/user_pass_verify.php#L137

My point as well, these lines do not depend on synchronicity, which point to some configuration issue… (mismatch between common name and username being the most common)