Re: Cisco VPN and Azure AD
Il giorno mar 7 set 2021 alle ore 09:46 Watts, Brian ha scritto: > Our Cisco VPN has changed to using Azure MFA. > Opening a connection with Openconnect asks for username and password > but then just returns to the same prompt. > I do not get any notifications in the Authenticator app. > Am I missing some simple piece of configuration? Hello, in fact I have a similar situation, but with F5. If I am correct, OpenConnect does not support Azure MFA, so the only way to connect is using the cookie that you have after the login. According to here: http://www.infradead.org/openconnect/anyconnect.html you have a "webvpn" cookie in the HTTP exchange. Get it and try to put it in the command line: openconnect --cookie="webvpn=" Do not use username and password. I don't know if it works, but you should try it and, if it works, it is the only way to use OpenConnect to connect to your MFA-protected VPN. I hope I did not say anything silly Antonio Petrelli ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Hello, sorry but I've been on holidays, so I apologize for my slow response too :-D Il giorno mer 11 ago 2021 alle ore 02:42 Daniel Lenski ha scritto: > f5-vpn://?server=&resourcename=/Common/SSL_VPN_Portal_Import-&resourcetype=network_access&cmd=launch&protocol=https&port=443&sid=&token=&otc= > > Can you confirm that the value of the 'sid' field in the f5-vpn:// URI > precisely matches the value of the MRHSession cookie sent in the > get_token_for_sessid.php3 request seen in the browser login? My > expectation is YES, they should be identical. SID appears to be one of > the many names used inconsistently for this 32-hex-digit value. No, the sid value is literally , this is pretty strange... > > What to do now? > > Do a MITM capture of the f5vpn binary, and figure out what request(s) > it sends involving the access-session-token value. I managed to do it on 5th August, but then I went on holidays, so here you can see the conversation log I managed to take: https://pastebin.com/BpKWJDfL The cool thing is that some of the parameters that are sent to f5vpn via the f5-vpn://... URL seem not to be used, such as "sid". I have some doubts about the ${f5stNotSetAnywhere} cookie, since it seems not to be set anywhere... Let me know your thoughts. Thanks Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 19:40 Antonio Petrelli ha scritto: > OMG IT WORKED! It seems that the error before happens sometimes, but > it happens anyway sometimes because something is wrong server side. > Wait a bit, ignore the previous email, in the next one I will post another > log. I have good news and bad news. The good news is that I managed to make it work. The bad news is that it works only if I connect via original f5vpn, disconnect, then launch openconnect. Probably the culprit is the access token. What to do now? So here's the log, I hope I edited all the needed things :-D Thanks Antonio - GET https:///vdesk/vpn/index.php3?outform=xml&client_version=2.0 Attempting to connect to server 77.241.209.42:443 Connected to 77.241.209.42:443 SSL negotiation with Matched peer certificate subject name '*.eng.it' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET /vdesk/vpn/index.php3?outform=xml&client_version=2.0 HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Cookie: MRHSession= > Got HTTP response: HTTP/1.1 200 OK Server: BigIP Content-Type: text/xml; charset=utf-8 Accept-Ranges: bytes Connection: close Date: Wed, 04 Aug 2021 17:40:13 GMT Age: 173 Content-Length:334 X-Frame-Options: DENY Cache-Control: no-store HTTP body length: (334) EPOLL_CTL_DEL: File o directory non esistente < < < < SSL_VPN_Portal_Import-_NA < /Common/SSL_VPN_Portal_Import-_NA < resourcename=/Common/SSL_VPN_Portal_Import-_NA < < Got profile parameters 'resourcename=/Common/SSL_VPN_Portal_Import-_NA' GET https:///vdesk/vpn/connect.php3?resourcename=/Common/SSL_VPN_Portal_Import-_NA&outform=xml&client_version=2.0 SSL negotiation with Matched peer certificate subject name '*.eng.it' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET > /vdesk/vpn/connect.php3?resourcename=/Common/SSL_VPN_Portal_Import-_NA&outform=xml&client_version=2.0 > HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Cookie: MRHSession= > Got HTTP response: HTTP/1.1 200 OK Server: BigIP Content-Type: text/html; charset=ISO-8859-1 Accept-Ranges: bytes Connection: close Date: Wed, 04 Aug 2021 17:40:13 GMT Age:5409 Content-Length: 5728 X-Frame-Options: DENY Pragma: no-cache Cache-Control: no-cache, must-revalidate Cache-Control: no-store HTTP body length: (5728) EPOLL_CTL_DEL: File o directory non esistente < < < https:///vdesk/webtop/index.html?S= < CLSID:E0FF21FA-B857-45C5-8621-F120A0C17FF2 < https:///public/download/urxhost.cab#version=7213,2021,527,649 < CLSID:6C275925-A1ED-4DD2-9CEE-9823F5FDAA10 < https:///public/download/f5tunsrv.cab#version=7213,2021,527,649 < CLSID:2BCDB465-81F9-41CB-832C-8037A4064446 < https:///public/download/urxvpn.cab#version=7213,2021,527,649 < CLSID:6C275925-A1ED-4DD2-9CEE-9823F5FDAA10 < https:///public/download/f5tunsrv.cab#version=7213,2021,527,649 < https:///public/download/f5fltsrv.cab#version=7213,2021,527,649 < service:F5FltSrv < https:///public/download/utunres.cab#2003,6,4,1 < < < /Common/SSL_VPN_Portal_Import-_NA < /Common/SSL_VPN_Portal_Import-_NA < 127.0.0.1 < 4 < VPN < auto < < 443 < https < 900 < /Common/SSL_VPN_Portal_Import-_NA < 1 < 0 < 1 < 4433 < < < < < 1 < 1 < 1 < < < < < < < 1 < 0 < 1 < < < no < "reconnect_to_domain" < < 1 < 1 < ON < < < < no < < TRUE < -1 < no < yes < 90 < 200 < < 0 < 1 < < NO < yes < no < YES < 1 < 1 < < < < < < < < < < < < < Idle timeout is 15 minutes Got DNS server Got search domain italy.itroot.adnet Got SplitTunneling0 value of 1 Got split include route ... DTLS is enabled on port 4433 Got ipv4 1 ipv6 0 hdlc 0 ur_Z '/Common/SSL_VPN_Portal_Import-_NA' UDP SO_SNDBUF: 3 DTLS handshake failed: 1 139969204090688:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: Set up UDP failed; using SSL instead Delaying tunnel with reason: PPP negotiation SSL negotiation with Matched peer certificate subject name '*.eng.it' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET > /myvpn?sess=&hdlc_framing=no&ipv4=yes&ipv6=no&Z=/Common/SSL_VPN_Portal
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 19:29 Antonio Petrelli ha scritto: > > Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski > ha scritto: > > > me-origin > > > > Since you've already arrived at the "webtop" interface, you've already > > completed the login process and you already have the credential (the > > cookie named 'MRHSession') which OpenConnect requires to be able to > > actually configure and connect to the VPN tunnel. > > > > I believe you should be able to simply capture the value of > > (using the browser dev tools), and then run > > OpenConnect as follows: > > > > openconnect --dump - --prot=f5 \ > > --cookie "MRHSession=" \ > > > > > > (Important: do NOT close the browser window before running this > > command; that may cause it to logoff the session and invalidate the > > cookie) > > > > I'll wager 70% odds that this Just Works. If that doesn't work, then I > > guess we'll have to figure out what the "token" and > > "access-session-token" values mean, and how they get used by the f5vpn > > binary. > > Ok I managed to run it but, unfortunately, the result is this one: > > $> sudo ./openconnect --dump - --protocol=f5 --cookie > "MRHSession=" > > GET > https:///vdesk/vpn/index.php3?outform=xml&client_version=2.0 > Attempting to connect to server :443 > Connected to :443 > SSL negotiation with > Matched peer certificate subject name '*.' > Connected to HTTPS on with ciphersuite > TLSv1.3-TLS_AES_128_GCM_SHA256 > > GET /vdesk/vpn/index.php3?outform=xml&client_version=2.0 HTTP/1.1 > > Host: > > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > > Cookie: MRHSession= > > > Got HTTP response: HTTP/1.0 302 Found > Server: BigIP > Cache-Control: no-cache, no-store > Content-Length: 0 > Location: /my.logout.php3?errorcode=20 > Set-Cookie: LastMRH_Session=;path=/;secure > Set-Cookie: MRHSession=;path=/;secure > Connection: close > HTTP body length: (0) > EPOLL_CTL_DEL: File o directory non esistente > Creating SSL connection failed > Unknown error; exiting. > > - > OMG IT WORKED! It seems that the error before happens sometimes, but it happens anyway sometimes because something is wrong server side. Wait a bit, ignore the previous email, in the next one I will post another log. Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski ha scritto: > me-origin > > Since you've already arrived at the "webtop" interface, you've already > completed the login process and you already have the credential (the > cookie named 'MRHSession') which OpenConnect requires to be able to > actually configure and connect to the VPN tunnel. > > I believe you should be able to simply capture the value of > (using the browser dev tools), and then run > OpenConnect as follows: > > openconnect --dump - --prot=f5 \ > --cookie "MRHSession=" \ > > > (Important: do NOT close the browser window before running this > command; that may cause it to logoff the session and invalidate the > cookie) > > I'll wager 70% odds that this Just Works. If that doesn't work, then I > guess we'll have to figure out what the "token" and > "access-session-token" values mean, and how they get used by the f5vpn > binary. Ok I managed to run it but, unfortunately, the result is this one: $> sudo ./openconnect --dump - --protocol=f5 --cookie "MRHSession=" GET https:///vdesk/vpn/index.php3?outform=xml&client_version=2.0 Attempting to connect to server :443 Connected to :443 SSL negotiation with Matched peer certificate subject name '*.' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET /vdesk/vpn/index.php3?outform=xml&client_version=2.0 HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Cookie: MRHSession= > Got HTTP response: HTTP/1.0 302 Found Server: BigIP Cache-Control: no-cache, no-store Content-Length: 0 Location: /my.logout.php3?errorcode=20 Set-Cookie: LastMRH_Session=;path=/;secure Set-Cookie: MRHSession=;path=/;secure Connection: close HTTP body length: (0) EPOLL_CTL_DEL: File o directory non esistente Creating SSL connection failed Unknown error; exiting. - Obviously the web page has been open all the time but, after the command, if I refresh the browser page, I've been logged out Notice that I compiled the project only with necessary things. Let me know what to do from here. Thanks Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 18:48 David Woodhouse ha scritto: > There are automatic builds for Fedora (and cross-builds for Windows in MinGW > RPM packages) at https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ Too bad, I am using Kubuntu, no problem though, I can still compile it myself. > Yes, the master branch is correct. Usually git.infradead.org and gitlab are > in sync but not today. OK, I suppose that I should use gitlab, right? Notice that I am not a C developer, but a Java one, so go easy on me :-) Thanks again Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski ha scritto: > > Since you've already arrived at the "webtop" interface, you've already > completed the login process and you already have the credential (the > cookie named 'MRHSession') which OpenConnect requires to be able to > actually configure and connect to the VPN tunnel. > > I believe you should be able to simply capture the value of > (using the browser dev tools), and then run > OpenConnect as follows: > > openconnect --dump - --prot=f5 \ > --cookie "MRHSession=" \ > > > (Important: do NOT close the browser window before running this > command; that may cause it to logoff the session and invalidate the > cookie) > > I'll wager 70% odds that this Just Works. If that doesn't work, then I > guess we'll have to figure out what the "token" and > "access-session-token" values mean, and how they get used by the f5vpn > binary. OK thanks, the part that I missed is how to send this cookie. About testing I have a few questions because the site is confusing to me: 1. Are there any nightly pre-built binaries of the source code? 2. If not, what is the repository, the one at infradead.org or the one at GitLab? 3. What branch should I use, master? In the meantime I am cloning the GitLab repository at master, since it seems the most updated, but correct me if I am wrong! I will let you know about the tests, thanks again! Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Hello again From now on, the edited values are between , but the rest is literal.รน Ok after login, I land on a page that says "Connect to VPN". Clicking on it this request is sent: GET /vdesk/get_token_for_sessid.php3 HTTP/1.0 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: keep-alive Referer: https:///vdesk/webtop.eui?webtop=/Common/Portal__Webtop&webtop_type=webtop_full Cookie: LastMRH_Session=<4-bytes-hex-encoded>; TIN=66000; MRHSession=; F5_ST=; F5_fullWT=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin And the response (empty) is: HTTP/1.0 200 OK Server: BigIP Content-Length: 0 X-ACCESS-Session-Token: Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Now a resource is going to be opened by f5vpn. The resource is: f5-vpn://?server=&resourcename=/Common/SSL_VPN_Portal_Import-&resourcetype=network_access&cmd=launch&protocol=https&port=443&sid=&token=&otc= Notice that the ID of the element that contains the button is: network_access:/Common/SSL_VPN_Portal_Import- Notice that the value: for the token parameter in the f5-vpn URL seems to be always the same, however I cannot see where it comes from. What should I do now? How do I inject those codes in OpenConnect? Thanks Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Available for support for F5 + MFA
Hello At my firm we are using F5 and MFA from Microsoft. I noticed in the website that, in case I have a different authentication than username+password, it would be nice to contact you to add support for a different authentication mechanism. So here am I, feel free to contact me and I will try to assist you in adding support. Thanks for your hard work! Antonio Petrelli ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel