See my inline comments below starting with 'Leo:'. Thanks!
在 2023-04-14 00:36:16,"Daniel Lenski" <[email protected]> 写道: >On Wed, Apr 12, 2023 at 11:29 PM lobbia <[email protected]> wrote: >> >> In my case, v9.01+ doesn't work for my openwrt. My company's Cisco ASA >> server prefers Azure SSO over user/pass sign-in. When using openconnect >> v9.01 to connect, it propsed SSO in capacilities list and then got suck due >> to lack of sufficient support e.g. GUI, TPM, Azure etc. But when using >> v8.20, it could negotiate and agree on user/pass sign-in with ASA so I can >> connect successfully. > >Yes, we're aware of this issue. I added the `--no-external-auth` >option in https://gitlab.com/openconnect/openconnect/-/merge_requests/398; >it will prevent OpenConnect from advertising this "less scriptable" >authentication mode. > >(@dwmw, we should merge this one before the next release!) > >> Another question is, based on analysis, I see 2 more local_ids in my HTTP >> POST request xml form for device-id attributes: computer-name, and >> uniqu-id-global, from my client app Cisco AnyConnect v4.9.06037. Below is >> the example. I don't know how difficult to extend support to these 2 new >> items in code, can I just add 2 new items in auth.c and cstp.c like what you >> did in the commit f73a8268 "Add CLI option --local-id, generic id_options >> structure, and API function openconnect_set_id_option"? Or it's indeed much >> more complicated, and have you saw this requirement also from other users >> and will have a plan to support later? >> >> HTTP POST XML example: >> <?xml version="1.0" encoding="UTF-8"?> >> <config-auth client="vpn" type="init"><version >> who="vpn">4.9.06037</version><device-id >> unique-id="xxxxxxxxxxCF7963BA42EF2701DCC3C9E20007E1E30DAC9169940D8888888888" >> unique-id-global="xxxxxxxxxx4C9A04F98E4FC47BD4698888888888" >> computer-name="xxx-xxx" platform-version="10.0.22000" device_type="xxxxxx >> xxxxxx">win</device-id><mac-address-list><mac-address>xx-xx-xx-xx-xx-xx</mac-address></mac-address-list><group-access>https://xxx.com/</group-access></config-auth> > >1. Is "computer-name" identical to the value provided by the >longstanding `--local-hostname` option, or is it distinct? Is it >ACTUALLY REQUIRED for your login to succeed? >2. Looks like unique-id and unique-id-global are distinct? Yes, if >unique-id-global is DISTINCT AND REQUIRED, then it should just be Yet >Another Thing You Can Set™ with `--local-id`. > Leo: yes "computer-name" has the same value of `--local-hostname` . Meanwhile unique-id and unique-id-global are distinct. They are not required for successful login. But my company has a strict policy and if it's found using opensource app to connect VPN the laptop might be locked and formated. So I'm trying best effort to 100% simulate Anyconnect behavior. >Please submit a diff (or a merge-request on top of the >https://gitlab.com/openconnect/openconnect/-/tree/add_local_id_option >branch) to add these in the way that you think will make them work >with your VPN, and I'll try to clean 'em up and incorporate them into >the MR. > Leo: Just updated the code of auth.c then rebuilt on Ubuntu. It works as expected including computer-name and unique-id-global. MR has also subbmitted: https://gitlab.com/openconnect/openconnect/-/merge_requests/465 Feel free to revise. Thanks! >Thanks! _______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
