Thanks for the patch.
I'm now getting an error message saying:
Login denied. Your system does not meet the minumium security requirement
to access the XXXXX Network. If you need assistance please contact the
helpdesk.
Your client certificate will be used for authentication
And it then prompts for a group, username etc.
I'm still getting the same response as before to the hostscan
("TOKEN_SUCCESS"). Did that response look good to you (I've never seen a
good one so I can't judge)? I'm guessing either hostscan did not actually
work or we're missing something in the later requests.
re:
/* Ick. Since struct oc_auth_form is public there's no
* simple way to add a flag to it. So let's abuse the
* auth_id string instead. */
I had added an int flag to openconnect_info. Is that less or more "ick"? ;)
Here's the latest output (beginning at the hostscan response). The messages
enclosed in "[[...]]" are trace logging that I added to follow the flow. You
can see where the patch is kicking in.
< HTTP/1.1 200 OK
< Content-Type: text/xml
< Transfer-Encoding: chunked
< Cache-Control: no-cache
< Pragma: no-cache
< Connection: Close
< Date: Fri, 05 Oct 2018 17:24:53 GMT
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; preload;
<
<?xml version="1.0" encoding="ISO-8859-1"?>
<hostscan><status>TOKEN_SUCCESS</status></hostscan>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
[sent]
=== csd-wrapper.sh is exiting
GET https://$HOSTDOMAIN/+CSCOE+/sdesktop/wait.html
SSL negotiation with $HOSTDOMAIN
Connected to HTTPS on $HOSTDOMAIN
> GET /+CSCOE+/sdesktop/wait.html HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08-unknown
> Cookie: sdesktop=61FFDE3E463B3EF9149711C0
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 05 Oct 2018 17:24:56 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
Location: /
Set-Cookie: sdesktop=61FFDE3E463B3EF9149711C0; path=/; secure
HTTP body chunked (-2)
< <html>x</html>
POST https://$HOSTDOMAIN/piv
SSL negotiation with $HOSTDOMAIN
Connected to HTTPS on $HOSTDOMAIN
> POST /piv HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08-unknown
> Cookie: sdesktop=61FFDE3E463B3EF9149711C0
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 223
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version
who="vpn">v7.08-unknown</version><device-id>linux-64</device-id><group-access>https://$HOSTDOMAIN/piv</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 05 Oct 2018 17:24:58 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>PIV</tunnel-group>
< <config-hash>1530112511655</config-hash>
< </opaque>
< <auth id="main">
< <authentication-complete></authentication-complete>
< </auth>
< <host-scan>
< <host-scan-ticket>51EA98974F3777162A90D431</host-scan-ticket>
< <host-scan-token>1FCD58D80D21FBBB2117A04A</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
[[set openconnect_authentication_complete]]
[[entering auth form loop]]
[[handle_auth_form jumping to justpost for openconnect_authentication_complete]]
[[sending request]]
POST https://$HOSTDOMAIN/piv
> POST /piv HTTP/1.1
> Host: $HOSTDOMAIN
> User-Agent: Open AnyConnect VPN Agent v7.08-unknown
> Cookie: sdesktop=61FFDE3E463B3EF9149711C0
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 341
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version
who="vpn">v7.08-unknown</version><device-id>linux-64</device-id><opaque
is-for="sg">
> <tunnel-group>PIV</tunnel-group>
> <config-hash>1530112511655</config-hash>
>
</opaque><auth/><host-scan-token>61FFDE3E463B3EF9149711C0</host-scan-token></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 05 Oct 2018 17:24:58 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; preload;
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
< <opaque is-for="sg">
< <tunnel-group>PIV</tunnel-group>
< <group-alias>PIV</group-alias>
< <config-hash>1530112511655</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Your client certificate will be used for authentication</message>
< <banner></banner>
< <error id="9" param1="Your system does not meet the minumium security
requirement to access the XXXX Network. If you need assistance please
contact the helpdesk." param2="">Login denied. %s</error>
< <form>
< <select name="group_list" label="GROUP:">
< <option>ANYCONNECT</option>
< <option>AnyConnect</option>
< <option>GPUpdate</option>
< <option selected="true">PIV</option>
< <option>PIV-Access</option>
< <option>VDI</option>
< <option>XXXX_Secure_Tunnel</option>
< <option>client</option>
< <option>gfe</option>
< <option>piv</option>
< <option>piv-exempt</option>
< <option>ts</option>
< </select>
< </form>
< </auth>
< <host-scan>
< <host-scan-ticket>6BFE52EE3FECD86921726AF0</host-scan-ticket>
< <host-scan-token>1E3627335BABEEA20A6D826D</host-scan-token>
< <host-scan-base-uri>/CACHE</host-scan-base-uri>
< <host-scan-wait-uri>/+CSCOE+/sdesktop/wait.html</host-scan-wait-uri>
< </host-scan>
< </config-auth>
[[repeating auth form loop]]
Login denied. Your system does not meet the minumium security requirement to
access the XXXX Network. If you need assistance please contact the helpdesk.
Your client certificate will be used for authentication
GROUP:
[ANYCONNECT|AnyConnect|GPUpdate|PIV|PIV-Access|VDI|XXXX_Secure_Tunnel|client|gfe|piv|piv-exempt|ts]:
^Cfgets (stdin): Interrupted system call
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel