On Fri, Jan 27, 2023 at 3:58 AM Zbyněk Kačer <zbynek.ka...@pitris.info> wrote: > So I tried openconnect
openconnect --version? > So I tried > openconnect --dump-http-traffic --csd-wrapper=/tmp/csd-post.sh > gateway.host.some.server.com > > but the csd-post script seems never be called (I've inserted some echos > at the beginning). Are you 100% sure the `csd-post.sh` is an executable shell script, and that you're not missing an error about it being non-executable, or otherwise failing? Until we made improvements in recent releases (https://gitlab.com/openconnect/openconnect/-/commits/7083a0ac52a95e02b2c75180888bc29bcc9f3bae/auth.c), these errors were very easy to miss. Assuming the script is indeed executable, it's possible that your server detects that you're using a non-Cisco client, or running a not-supported OS, and simply skips over CSD and goes straight to the "limited access" mode. Try adding combinations of the following to the command line and see if they make any difference… --useragent 'AnyConnect Windows 4.10.05095' --os=win --local-hostname=HOSTNAME_OF_YOUR_OFFICIALLY_SUPPORTED_WINDOWS_LAPTOP Rinse/repeat/experiment until you hopefully find the magical combination of options/versions/identifiers (refer to https://www.infradead.org/openconnect/manual.html). > Do I have to force openconnect to post the "scan" result to the gateway > somehow? No. As far as we know, the Cisco servers either (a) require that you complete CSD before authentication will complete and you'll be able to connect the VPN tunnel, or (b) skip it. Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
