Hello, I am using OpenSUSE tumbleweed with openconnect 9.12-1.2 through the KDE network manager to connect to a Cisco AnyConnect VPN using two-factor authentication with Duo. This was working until the VPN server side recently changed to require running the CSD trojans, and I have been unsuccessful at reconfiguring the VPN client. As requested in the documentation, I am seeking help debugging this issue.
This is the message that I read as requiring the CSD trojan: Error: Server asked us to run CSD hostscan. You need to provide a suitable --csd-wrapper argument. I tried to configure the network manager setting "Allow Cisco Secure Desktop trojan" and setting the csd-post.sh modified to include "set -x" on line 2 as the CSD wrapper. I tried this both with and without the User Agent string "AnyConnect". Below is the slightly anonymized contents of the debug log, with the csd-post.sh script. Thanks for any help you can provide. POST https://vpn.example.org/ Attempting to connect to server a.b.c.d:443 Connected to a.b.c.d:443 SSL negotiation with vpn.example.org Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Content-Type: text/xml; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-store Pragma: no-cache Connection: Keep-Alive Date: Tue, 25 Jul 2023 22:36:23 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1 Content-Security-Policy: default-src 'self' https://api-1234.duosecurity.com/ 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self' X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled Trying to run CSD Trojan script '/home/username/csd-post.sh'. CSD script '/home/username/csd-post.sh' completed successfully. GET https://vpn.example.org/+CSCOE+/sdesktop/wait.html Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-store Pragma: no-cache Connection: Close Date: Tue, 25 Jul 2023 22:36:24 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1 Content-Security-Policy: default-src 'self' https://api-1234.duosecurity.com/ 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self' HTTP body chunked (-2) Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://vpn.example.org/+CSCOE+/sdesktop/wait.html SSL negotiation with vpn.example.org Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-store Pragma: no-cache Connection: Close Date: Tue, 25 Jul 2023 22:36:26 GMT X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-XSS-Protection: 1 Content-Security-Policy: default-src 'self' https://api-1234.duosecurity.com/ 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self' HTTP body chunked (-2) Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://vpn.example.org/+CSCOE+/sdesktop/wait.html SSL negotiation with vpn.example.org _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
