Re: Available for support for F5 + MFA
Hello, sorry but I've been on holidays, so I apologize for my slow response too :-D Il giorno mer 11 ago 2021 alle ore 02:42 Daniel Lenski ha scritto: > f5-vpn://?server==/Common/SSL_VPN_Portal_Import-=network_access=launch=https=443=== > > Can you confirm that the value of the 'sid' field in the f5-vpn:// URI > precisely matches the value of the MRHSession cookie sent in the > get_token_for_sessid.php3 request seen in the browser login? My > expectation is YES, they should be identical. SID appears to be one of > the many names used inconsistently for this 32-hex-digit value. No, the sid value is literally , this is pretty strange... > > What to do now? > > Do a MITM capture of the f5vpn binary, and figure out what request(s) > it sends involving the access-session-token value. I managed to do it on 5th August, but then I went on holidays, so here you can see the conversation log I managed to take: https://pastebin.com/BpKWJDfL The cool thing is that some of the parameters that are sent to f5vpn via the f5-vpn://... URL seem not to be used, such as "sid". I have some doubts about the ${f5stNotSetAnywhere} cookie, since it seems not to be set anywhere... Let me know your thoughts. Thanks Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
On Wed, Aug 4, 2021 at 10:57 AM Antonio Petrelli wrote: > > Il giorno mer 4 ago 2021 alle ore 19:40 Antonio Petrelli > ha scritto: > > > > OMG IT WORKED! It seems that the error before happens sometimes, but > > it happens anyway sometimes because something is wrong server side. > > Wait a bit, ignore the previous email, in the next one I will post another > > log. > > I have good news and bad news. > The good news is that I managed to make it work. > The bad news is that it works only if I connect via original f5vpn, > disconnect, then launch openconnect. That's interesting. >> Probably the culprit is the access token. My guess is that when the f5vpn executable launches, it sends additional request(s) to the server to somehow activate/enable the MRHSession cookie to be used for the VPN tunnel… > GET /vdesk/get_token_for_sessid.php3 HTTP/1.0 > ... bunch of other headers ... > Cookie: LastMRH_Session=<4-bytes-hex-encoded>; TIN=66000; > MRHSession=; F5_ST=; F5_fullWT=1 > > Now a resource is going to be opened by f5vpn. The resource is: > f5-vpn://?server==/Common/SSL_VPN_Portal_Import-=network_access=launch=https=443=== Can you confirm that the value of the 'sid' field in the f5-vpn:// URI precisely matches the value of the MRHSession cookie sent in the get_token_for_sessid.php3 request seen in the browser login? My expectation is YES, they should be identical. SID appears to be one of the many names used inconsistently for this 32-hex-digit value. > What to do now? Do a MITM capture of the f5vpn binary, and figure out what request(s) it sends involving the access-session-token value. > So here's the log, I hope I edited all the needed things :-D Looks good. For what it's worth, this log doesn't appear to reveal anything that we don't already understand. The part that we don't understand apparently *precedes* the requests and responses shown in the log. Thanks for working through this, and sorry for the slow response! Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 19:40 Antonio Petrelli ha scritto: > OMG IT WORKED! It seems that the error before happens sometimes, but > it happens anyway sometimes because something is wrong server side. > Wait a bit, ignore the previous email, in the next one I will post another > log. I have good news and bad news. The good news is that I managed to make it work. The bad news is that it works only if I connect via original f5vpn, disconnect, then launch openconnect. Probably the culprit is the access token. What to do now? So here's the log, I hope I edited all the needed things :-D Thanks Antonio - GET https:///vdesk/vpn/index.php3?outform=xml_version=2.0 Attempting to connect to server 77.241.209.42:443 Connected to 77.241.209.42:443 SSL negotiation with Matched peer certificate subject name '*.eng.it' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET /vdesk/vpn/index.php3?outform=xml_version=2.0 HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Cookie: MRHSession= > Got HTTP response: HTTP/1.1 200 OK Server: BigIP Content-Type: text/xml; charset=utf-8 Accept-Ranges: bytes Connection: close Date: Wed, 04 Aug 2021 17:40:13 GMT Age: 173 Content-Length:334 X-Frame-Options: DENY Cache-Control: no-store HTTP body length: (334) EPOLL_CTL_DEL: File o directory non esistente < < < < SSL_VPN_Portal_Import-_NA < /Common/SSL_VPN_Portal_Import-_NA < resourcename=/Common/SSL_VPN_Portal_Import-_NA < < Got profile parameters 'resourcename=/Common/SSL_VPN_Portal_Import-_NA' GET https:///vdesk/vpn/connect.php3?resourcename=/Common/SSL_VPN_Portal_Import-_NA=xml_version=2.0 SSL negotiation with Matched peer certificate subject name '*.eng.it' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET > /vdesk/vpn/connect.php3?resourcename=/Common/SSL_VPN_Portal_Import-_NA=xml_version=2.0 > HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Cookie: MRHSession= > Got HTTP response: HTTP/1.1 200 OK Server: BigIP Content-Type: text/html; charset=ISO-8859-1 Accept-Ranges: bytes Connection: close Date: Wed, 04 Aug 2021 17:40:13 GMT Age:5409 Content-Length: 5728 X-Frame-Options: DENY Pragma: no-cache Cache-Control: no-cache, must-revalidate Cache-Control: no-store HTTP body length: (5728) EPOLL_CTL_DEL: File o directory non esistente < < < https:///vdesk/webtop/index.html?S= < CLSID:E0FF21FA-B857-45C5-8621-F120A0C17FF2 < https:///public/download/urxhost.cab#version=7213,2021,527,649 < CLSID:6C275925-A1ED-4DD2-9CEE-9823F5FDAA10 < https:///public/download/f5tunsrv.cab#version=7213,2021,527,649 < CLSID:2BCDB465-81F9-41CB-832C-8037A4064446 < https:///public/download/urxvpn.cab#version=7213,2021,527,649 < CLSID:6C275925-A1ED-4DD2-9CEE-9823F5FDAA10 < https:///public/download/f5tunsrv.cab#version=7213,2021,527,649 < https:///public/download/f5fltsrv.cab#version=7213,2021,527,649 < service:F5FltSrv < https:///public/download/utunres.cab#2003,6,4,1 < < < /Common/SSL_VPN_Portal_Import-_NA < /Common/SSL_VPN_Portal_Import-_NA < 127.0.0.1 < 4 < VPN < auto < < 443 < https < 900 < /Common/SSL_VPN_Portal_Import-_NA < 1 < 0 < 1 < 4433 < < < < < 1 < 1 < 1 < < < < < < < 1 < 0 < 1 < < < no < reconnect_to_domain < < 1 < 1 < ON < < < < no < < TRUE < -1 < no < yes < 90 < 200 < < 0 < 1 < < NO < yes < no < YES < 1 < 1 < < < < < < < < < < < < < Idle timeout is 15 minutes Got DNS server Got search domain italy.itroot.adnet Got SplitTunneling0 value of 1 Got split include route ... DTLS is enabled on port 4433 Got ipv4 1 ipv6 0 hdlc 0 ur_Z '/Common/SSL_VPN_Portal_Import-_NA' UDP SO_SNDBUF: 3 DTLS handshake failed: 1 139969204090688:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1112: Set up UDP failed; using SSL instead Delaying tunnel with reason: PPP negotiation SSL negotiation with Matched peer certificate subject name '*.eng.it' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET > /myvpn?sess=_framing=no=yes=no=/Common/SSL_VPN_Portal_Import-_NA=YW50b25pby1ONTNTVg== > HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Got HTTP response: HTTP/1.0 200 OK Content-length: 0 X-VPN-client-IP: Got Legacy IP address X-VPN-server-IP: 1.1.1.1 TCP_INFO rcv mss 1436, snd mss 1448, adv mss 1448, pmtu 1500 Using base_mtu of 1500 After removing TCP/IPv4 headers, MTU of 1448 After removing protocol specific overhead (10 unpadded, 0 padded, 1 blocksize), MTU of 1438 Requesting calculated MTU of 1438 Sending our LCP/id 1
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 19:29 Antonio Petrelli ha scritto: > > Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski > ha scritto: > > > me-origin > > > > Since you've already arrived at the "webtop" interface, you've already > > completed the login process and you already have the credential (the > > cookie named 'MRHSession') which OpenConnect requires to be able to > > actually configure and connect to the VPN tunnel. > > > > I believe you should be able to simply capture the value of > > (using the browser dev tools), and then run > > OpenConnect as follows: > > > > openconnect --dump - --prot=f5 \ > > --cookie "MRHSession=" \ > > > > > > (Important: do NOT close the browser window before running this > > command; that may cause it to logoff the session and invalidate the > > cookie) > > > > I'll wager 70% odds that this Just Works. If that doesn't work, then I > > guess we'll have to figure out what the "token" and > > "access-session-token" values mean, and how they get used by the f5vpn > > binary. > > Ok I managed to run it but, unfortunately, the result is this one: > > $> sudo ./openconnect --dump - --protocol=f5 --cookie > "MRHSession=" > > GET > https:///vdesk/vpn/index.php3?outform=xml_version=2.0 > Attempting to connect to server :443 > Connected to :443 > SSL negotiation with > Matched peer certificate subject name '*.' > Connected to HTTPS on with ciphersuite > TLSv1.3-TLS_AES_128_GCM_SHA256 > > GET /vdesk/vpn/index.php3?outform=xml_version=2.0 HTTP/1.1 > > Host: > > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > > Cookie: MRHSession= > > > Got HTTP response: HTTP/1.0 302 Found > Server: BigIP > Cache-Control: no-cache, no-store > Content-Length: 0 > Location: /my.logout.php3?errorcode=20 > Set-Cookie: LastMRH_Session=;path=/;secure > Set-Cookie: MRHSession=;path=/;secure > Connection: close > HTTP body length: (0) > EPOLL_CTL_DEL: File o directory non esistente > Creating SSL connection failed > Unknown error; exiting. > > - > OMG IT WORKED! It seems that the error before happens sometimes, but it happens anyway sometimes because something is wrong server side. Wait a bit, ignore the previous email, in the next one I will post another log. Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski ha scritto: > me-origin > > Since you've already arrived at the "webtop" interface, you've already > completed the login process and you already have the credential (the > cookie named 'MRHSession') which OpenConnect requires to be able to > actually configure and connect to the VPN tunnel. > > I believe you should be able to simply capture the value of > (using the browser dev tools), and then run > OpenConnect as follows: > > openconnect --dump - --prot=f5 \ > --cookie "MRHSession=" \ > > > (Important: do NOT close the browser window before running this > command; that may cause it to logoff the session and invalidate the > cookie) > > I'll wager 70% odds that this Just Works. If that doesn't work, then I > guess we'll have to figure out what the "token" and > "access-session-token" values mean, and how they get used by the f5vpn > binary. Ok I managed to run it but, unfortunately, the result is this one: $> sudo ./openconnect --dump - --protocol=f5 --cookie "MRHSession=" GET https:///vdesk/vpn/index.php3?outform=xml_version=2.0 Attempting to connect to server :443 Connected to :443 SSL negotiation with Matched peer certificate subject name '*.' Connected to HTTPS on with ciphersuite TLSv1.3-TLS_AES_128_GCM_SHA256 > GET /vdesk/vpn/index.php3?outform=xml_version=2.0 HTTP/1.1 > Host: > User-Agent: Open AnyConnect VPN Agent v8.10-632-gc7403272 > Cookie: MRHSession= > Got HTTP response: HTTP/1.0 302 Found Server: BigIP Cache-Control: no-cache, no-store Content-Length: 0 Location: /my.logout.php3?errorcode=20 Set-Cookie: LastMRH_Session=;path=/;secure Set-Cookie: MRHSession=;path=/;secure Connection: close HTTP body length: (0) EPOLL_CTL_DEL: File o directory non esistente Creating SSL connection failed Unknown error; exiting. - Obviously the web page has been open all the time but, after the command, if I refresh the browser page, I've been logged out Notice that I compiled the project only with necessary things. Let me know what to do from here. Thanks Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 18:48 David Woodhouse ha scritto: > There are automatic builds for Fedora (and cross-builds for Windows in MinGW > RPM packages) at https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ Too bad, I am using Kubuntu, no problem though, I can still compile it myself. > Yes, the master branch is correct. Usually git.infradead.org and gitlab are > in sync but not today. OK, I suppose that I should use gitlab, right? Notice that I am not a C developer, but a Java one, so go easy on me :-) Thanks again Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
On 4 August 2021 17:44:07 BST, Antonio Petrelli wrote: >Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski > ha scritto: >> >> Since you've already arrived at the "webtop" interface, you've already >> completed the login process and you already have the credential (the >> cookie named 'MRHSession') which OpenConnect requires to be able to >> actually configure and connect to the VPN tunnel. >> >> I believe you should be able to simply capture the value of >> (using the browser dev tools), and then run >> OpenConnect as follows: >> >> openconnect --dump - --prot=f5 \ >> --cookie "MRHSession=" \ >> >> >> (Important: do NOT close the browser window before running this >> command; that may cause it to logoff the session and invalidate the >> cookie) >> >> I'll wager 70% odds that this Just Works. If that doesn't work, then I >> guess we'll have to figure out what the "token" and >> "access-session-token" values mean, and how they get used by the f5vpn >> binary. > >OK thanks, the part that I missed is how to send this cookie. >About testing I have a few questions because the site is confusing to me: >1. Are there any nightly pre-built binaries of the source code? >2. If not, what is the repository, the one at infradead.org or the one >at GitLab? >3. What branch should I use, master? > >In the meantime I am cloning the GitLab repository at master, since it >seems the most updated, but correct me if I am wrong! > >I will let you know about the tests, thanks again! There are automatic builds for Fedora (and cross-builds for Windows in MinGW RPM packages) at https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/ Yes, the master branch is correct. Usually git.infradead.org and gitlab are in sync but not today. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Il giorno mer 4 ago 2021 alle ore 18:08 Daniel Lenski ha scritto: > > Since you've already arrived at the "webtop" interface, you've already > completed the login process and you already have the credential (the > cookie named 'MRHSession') which OpenConnect requires to be able to > actually configure and connect to the VPN tunnel. > > I believe you should be able to simply capture the value of > (using the browser dev tools), and then run > OpenConnect as follows: > > openconnect --dump - --prot=f5 \ > --cookie "MRHSession=" \ > > > (Important: do NOT close the browser window before running this > command; that may cause it to logoff the session and invalidate the > cookie) > > I'll wager 70% odds that this Just Works. If that doesn't work, then I > guess we'll have to figure out what the "token" and > "access-session-token" values mean, and how they get used by the f5vpn > binary. OK thanks, the part that I missed is how to send this cookie. About testing I have a few questions because the site is confusing to me: 1. Are there any nightly pre-built binaries of the source code? 2. If not, what is the repository, the one at infradead.org or the one at GitLab? 3. What branch should I use, master? In the meantime I am cloning the GitLab repository at master, since it seems the most updated, but correct me if I am wrong! I will let you know about the tests, thanks again! Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
On Tue, Aug 3, 2021 at 9:08 AM Antonio Petrelli wrote: > > Hello again > From now on, the edited values are between , but the > rest is literal.ù > Ok after login, I land on a page that says "Connect to VPN". > > Clicking on it this request is sent: > > GET /vdesk/get_token_for_sessid.php3 HTTP/1.0 > Host: > User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) > Gecko/20100101 Firefox/90.0 > Accept: */* > Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 > Accept-Encoding: gzip, deflate, br > DNT: 1 > Connection: keep-alive > Referer: > https:///vdesk/webtop.eui?webtop=/Common/Portal__Webtop_type=webtop_full > Cookie: LastMRH_Session=<4-bytes-hex-encoded>; TIN=66000; > MRHSession=; F5_ST=; F5_fullWT=1 > Sec-Fetch-Dest: empty > Sec-Fetch-Mode: cors > Sec-Fetch-Site: same-origin Since you've already arrived at the "webtop" interface, you've already completed the login process and you already have the credential (the cookie named 'MRHSession') which OpenConnect requires to be able to actually configure and connect to the VPN tunnel. I believe you should be able to simply capture the value of (using the browser dev tools), and then run OpenConnect as follows: openconnect --dump - --prot=f5 \ --cookie "MRHSession=" \ (Important: do NOT close the browser window before running this command; that may cause it to logoff the session and invalidate the cookie) I'll wager 70% odds that this Just Works. If that doesn't work, then I guess we'll have to figure out what the "token" and "access-session-token" values mean, and how they get used by the f5vpn binary. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
Hello again From now on, the edited values are between , but the rest is literal.ù Ok after login, I land on a page that says "Connect to VPN". Clicking on it this request is sent: GET /vdesk/get_token_for_sessid.php3 HTTP/1.0 Host: User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: */* Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: keep-alive Referer: https:///vdesk/webtop.eui?webtop=/Common/Portal__Webtop_type=webtop_full Cookie: LastMRH_Session=<4-bytes-hex-encoded>; TIN=66000; MRHSession=; F5_ST=; F5_fullWT=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin And the response (empty) is: HTTP/1.0 200 OK Server: BigIP Content-Length: 0 X-ACCESS-Session-Token: Pragma: no-cache Cache-Control: no-cache, must-revalidate Connection: close Now a resource is going to be opened by f5vpn. The resource is: f5-vpn://?server==/Common/SSL_VPN_Portal_Import-=network_access=launch=https=443=== Notice that the ID of the element that contains the button is: network_access:/Common/SSL_VPN_Portal_Import- Notice that the value: for the token parameter in the f5-vpn URL seems to be always the same, however I cannot see where it comes from. What should I do now? How do I inject those codes in OpenConnect? Thanks Antonio ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Available for support for F5 + MFA
On Tue, Aug 3, 2021 at 1:22 AM Antonio Petrelli wrote: > Hello > At my firm we are using F5 and MFA from Microsoft. I noticed in the > website that, in case I have a different authentication than > username+password, it would be nice to contact you to add support for > a different authentication mechanism. Thanks! I suspect that this probably involves some kind of handoff mechanism like SAML, as we already know of for the GlobalProtect and AnyConnect protocols. > So here am I, feel free to contact me and I will try to assist you in > adding support. Can you successfully login by visiting the login page in a browser, then capturing whatever tokens result from it, and injecting those into OpenConnect? (whether in the form of a surrogate one-time-use password, or perhaps an MRHSession cookie) If so, writing an external authentication wrapper script modeled on https://github.com/dlenski/smxlogin would be a good place to start here. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Available for support for F5 + MFA
Hello At my firm we are using F5 and MFA from Microsoft. I noticed in the website that, in case I have a different authentication than username+password, it would be nice to contact you to add support for a different authentication mechanism. So here am I, feel free to contact me and I will try to assist you in adding support. Thanks for your hard work! Antonio Petrelli ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel