Zbyněk Kačer wrote:
Daniel Lenski wrote:
On Fri, Jan 27, 2023 at 3:58 AM Zbyněk Kačer
<zbynek.ka...@pitris.info> wrote:
So I tried openconnect
openconnect --version?
So I tried
openconnect --dump-http-traffic --csd-wrapper=/tmp/csd-post.sh
gateway.host.some.server.com
but the csd-post script seems never be called (I've inserted some echos
at the beginning).
Are you 100% sure the `csd-post.sh` is an executable shell script, and
that you're not missing an error about it being non-executable, or
otherwise failing? Until we made improvements in recent releases
(https://gitlab.com/openconnect/openconnect/-/commits/7083a0ac52a95e02b2c75180888bc29bcc9f3bae/auth.c),
these errors were very easy to miss.
Assuming the script is indeed executable, it's possible that your
server detects that you're using a non-Cisco client, or running a
not-supported OS, and simply skips over CSD and goes straight to the
"limited access" mode.
Try adding combinations of the following to the command line and see
if they make any difference…
--useragent 'AnyConnect Windows 4.10.05095'
--os=win
--local-hostname=HOSTNAME_OF_YOUR_OFFICIALLY_SUPPORTED_WINDOWS_LAPTOP
Rinse/repeat/experiment until you hopefully find the magical
combination of options/versions/identifiers (refer to
https://www.infradead.org/openconnect/manual.html).
Do I have to force openconnect to post the "scan" result to the gateway
somehow?
No.
As far as we know, the Cisco servers either (a) require that you
complete CSD before authentication will complete and you'll be able to
connect the VPN tunnel, or (b) skip it.
Dan
It's debian's v9.01-2.
Yes, it's executable, I can run it from a terminal.
The parameters do not help, it's the same. I'll try to play with this
a little more. Is there any way how to debug it?
Thanks.
I'm afraid tuning parameters does not help at all. I unsuccessfully
tried various combinantions.
Then I dumped the /opt/cisco/anyconnect/bin/vpnui traffic, tried what
the official client sends and still no success.
What can I do more? What to dump?
I'm able to dump (SSLKEYLOGFILE) ui's traffic and partly also the
vpnagentd's traffic but there are still some tls streams unreadable.
Thanks.
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
