On 10/3/18 6:54 PM, David Woodhouse wrote:
I don't see it trying the CSD wrapper at all there.
Can you show the command line, and add '-vv' to it too? Perhaps also
add a 'set -x' to the csd_wrapper script you're using, so we definitely
see what it's doing too.
Hi David,
Thanks for the response and sorry if I wasn't clear. I had only posted the
last half of the log, after the wrapper script (because I thought that part
was successful and it was fairly long).
I re-ran it with -vv and 'set -x' and I'm now posting the full output (below)
and command. Note that my wrapper script outputs a start/end message that
starts with "===" so I can see clearly where it runs.
~ray
---------------------------------------------------------------------------------------
$ sudo openconnect \
-vv \
--user="$ADDOM/$USERNAME" \
--certificate="$PIVCERT" \
--pid-file="$PIDFILE" \
--csd-user=$ME \
--csd-wrapper="$CSDWRAPPER" \
--dump-http-traffic \
$HOSTDOMAIN/piv
[sudo] password for ray:
POST https://$HOSTDOMAIN/piv
Attempting to connect to server XXX.XXX.XX.X:443
Connected to XXX.XXX.XX.X:443
Using PKCS#11 certificate
pkcs11:token=FIRSTNAME%20O%20LASTNAME;id=%00%02;type=cert
Trying PKCS#11 key URL
pkcs11:token=FIRSTNAME%20O%20LASTNAME;id=%00%02;type=private
PIN required for FIRSTNAME M LASTNAME
Enter PIN:
Using PKCS#11 key pkcs11:token=FIRSTNAME%20O%20LASTNAME;id=%00%02;type=private
Using client certificate 'FIRSTNAME M LASTNAME'
Adding supporting CA '$MYORG'
Adding supporting CA 'Symantec SSP Intermediate CA - G4'
SSL negotiation with $HOSTDOMAIN
Connected to HTTPS on $HOSTDOMAIN
> POST /piv HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 215
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version
who="vpn">v7.08</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 03 Oct 2018 23:44:23 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <client-cert-request></client-cert-request>
< </config-auth>
POST https://$HOSTDOMAIN/piv
SSL negotiation with $HOSTDOMAIN
Connected to HTTPS on $HOSTDOMAIN
> POST /piv HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 215
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version
who="vpn">v7.08</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 03 Oct 2018 23:44:25 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>PIV</tunnel-group>
< <config-hash>1530112511655</config-hash>
< </opaque>
< <auth id="main">
< <authentication-complete></authentication-complete>
< </auth>
< <host-scan>
< <host-scan-ticket>260F964C1481B67F19F23B9E</host-scan-ticket>
< <host-scan-token>0EF135D975E118204E8B8B23</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
XML POST enabled
GET https://$HOSTDOMAIN/+CSCOE+/sdesktop/wait.html
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08
> Cookie: sdesktop=0EF135D975E118204E8B8B23
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
>
+ echo '=== csd-wrapper.sh is running...'
=== csd-wrapper.sh is running...
+ CSD_HOSTNAME=$HOSTDOMAIN
+ host=https://$HOSTDOMAIN
+ token=0EF135D975E118204E8B8B23
+ echo '[token=0EF135D975E118204E8B8B23]'
[token=0EF135D975E118204E8B8B23]
+ echo '[sending...]'
[sending...]
+ run_curl --data-ascii @-
'https://$HOSTDOMAIN/+CSCOE+/sdesktop/scan.xml?reusebrowser=1'
+ /usr/bin/curl --insecure --user-agent 'Open AnyConnect VPN Agent v7.08'
--header 'X-Transcend-Version: 1' --header 'X-Aggregate-Auth: 1' --header
'X-AnyConnect-Platform: linux-64' --cookie sdesktop=0EF135D975E118204E8B8B23
--data-ascii @- 'https://$HOSTDOMAIN/+CSCOE+/sdesktop/scan.xml?reusebrowser=1'
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 03 Oct 2018 23:44:25 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
HTTP body chunked (-2)
<
< <html>
< <head>
< <meta http-equiv="refresh" content="1">
< <title>Installation</title>
< <link href="/+CSCOU+/portal.css" rel="stylesheet" type="text/css">
< <link href="/+CSCOE+/logon_custom.css" rel="stylesheet" type="text/css">
< </head>
< <body style="background-color:#ffffff; overflow:auto;">
< <table style="width:100%;height: 100%" cellspacing=0 cellpadding=0>
< <tr>
< <td style="border-bottom:1px solid #aaaaaa" colspan=2>
< <table style="width:100%" border="0" cellpadding="0" cellspacing="0"
class="cuesHeaderBg">
< <tr>
< <td colspan="2" class="cuesHeaderAccent"></td>
< </tr>
< <tr>
< <td class="install-title" style="height:40px; padding: 8px;
font-size:larger;font-weight:bold">
< <img src="/+CSCOU+/csco_logo.gif" align="absmiddle" alt="Logo"
title="Logo">
< Secure Desktop
< </td>
< </tr>
< </tr>
< </table>
< </td>
< </tr>
<
< <td id=form_panel align=middle>
< <div id=keepout_margin>
< <table id=form_table cellspacing=0 cellpadding=0 border=0 width=300>
<
< <tr>
< <td colspan=2 id="logon" align="middle" valign="top">
< <table id="form_title" width=100% cellspacing=0 border="0">
< <tr height=20>
< <td id="form_title_text" colspan=2 align="middle" nowrap>
< Secure Desktop
< </td>
< </tr>
< </table>
< </td>
< </tr>
< <tr><td colspan=2 align=middle>
< <table border=0>
< <tr>
< <td colspan=2><div style="margin-top:10;margin-bottom:10;">
< Processing, please wait...
< </div>
< </td>
< </tr>
< <tr><td><center><img src="/+CSCOU+/progress.gif"
alt="Loading..."></center></tr></td>
< <tr>
< <td align=middle colspan=2 height=40>
< </td>
< </tr>
< </table>
< </div>
< </td>
< </table>
< </div>
< </td>
< </body>
< </html>
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
<?xml version="1.0" encoding="ISO-8859-1"?>
<hostscan><status>TOKEN_SUCCESS</status></hostscan>
+ echo '[sent]'
[sent]
+ echo '=== csd-wrapper.sh is exiting'
=== csd-wrapper.sh is exiting
+ exit 0
GET https://$HOSTDOMAIN/+CSCOE+/sdesktop/wait.html
SSL negotiation with $HOSTDOMAIN
Connected to HTTPS on $HOSTDOMAIN
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08
> Cookie: sdesktop=0EF135D975E118204E8B8B23
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Wed, 03 Oct 2018 23:44:28 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
Location: /
Set-Cookie: sdesktop=0EF135D975E118204E8B8B23; path=/; secure
HTTP body chunked (-2)
< <html>x</html>
POST https://$HOSTDOMAIN/piv
SSL negotiation with $HOSTDOMAIN
Connected to HTTPS on $HOSTDOMAIN
> POST /piv HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08
> Cookie: sdesktop=0EF135D975E118204E8B8B23
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 215
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version
who="vpn">v7.08</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Wed, 03 Oct 2018 23:44:30 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>PIV</tunnel-group>
< <config-hash>1530112511655</config-hash>
< </opaque>
< <auth id="main">
< <authentication-complete></authentication-complete>
< </auth>
< <host-scan>
< <host-scan-ticket>60AC20764B72C71146C5CB38</host-scan-ticket>
< <host-scan-token>65853B9B04C273AA7F365695</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
Failed to obtain WebVPN cookie
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
