On Wed, Apr 12, 2023 at 11:29 PM lobbia <[email protected]> wrote: > > In my case, v9.01+ doesn't work for my openwrt. My company's Cisco ASA server > prefers Azure SSO over user/pass sign-in. When using openconnect v9.01 to > connect, it propsed SSO in capacilities list and then got suck due to lack of > sufficient support e.g. GUI, TPM, Azure etc. But when using v8.20, it could > negotiate and agree on user/pass sign-in with ASA so I can connect > successfully.
Yes, we're aware of this issue. I added the `--no-external-auth` option in https://gitlab.com/openconnect/openconnect/-/merge_requests/398; it will prevent OpenConnect from advertising this "less scriptable" authentication mode. (@dwmw, we should merge this one before the next release!) > Another question is, based on analysis, I see 2 more local_ids in my HTTP > POST request xml form for device-id attributes: computer-name, and > uniqu-id-global, from my client app Cisco AnyConnect v4.9.06037. Below is the > example. I don't know how difficult to extend support to these 2 new items in > code, can I just add 2 new items in auth.c and cstp.c like what you did in > the commit f73a8268 "Add CLI option --local-id, generic id_options structure, > and API function openconnect_set_id_option"? Or it's indeed much more > complicated, and have you saw this requirement also from other users and will > have a plan to support later? > > HTTP POST XML example: > <?xml version="1.0" encoding="UTF-8"?> > <config-auth client="vpn" type="init"><version > who="vpn">4.9.06037</version><device-id > unique-id="xxxxxxxxxxCF7963BA42EF2701DCC3C9E20007E1E30DAC9169940D8888888888" > unique-id-global="xxxxxxxxxx4C9A04F98E4FC47BD4698888888888" > computer-name="xxx-xxx" platform-version="10.0.22000" device_type="xxxxxx > xxxxxx">win</device-id><mac-address-list><mac-address>xx-xx-xx-xx-xx-xx</mac-address></mac-address-list><group-access>https://xxx.com/</group-access></config-auth> 1. Is "computer-name" identical to the value provided by the longstanding `--local-hostname` option, or is it distinct? Is it ACTUALLY REQUIRED for your login to succeed? 2. Looks like unique-id and unique-id-global are distinct? Yes, if unique-id-global is DISTINCT AND REQUIRED, then it should just be Yet Another Thing You Can Set™ with `--local-id`. 🤕 Please submit a diff (or a merge-request on top of the https://gitlab.com/openconnect/openconnect/-/tree/add_local_id_option branch) to add these in the way that you think will make them work with your VPN, and I'll try to clean 'em up and incorporate them into the MR. Thanks! _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
