Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
Hi Dan. Thanks for picking this up and improving it. I'm all in favor of adding these configuration options. Those who don't need them are fine with the defaults and don't care. And those who might run into a VPN headend which otherwise would deny access will appreciate having the option. Thanks, -ralph > On May 5, 2020, at 19:50, Daniel Lenski wrote: > > Ralph, > You may be interested in > https://gitlab.com/openconnect/openconnect/-/merge_requests/103 > > I'm proposing this as a more general-purpose replacement for the > `openconnect_set_mobile_info` API function that you created a while > back, to accommodate various little bits of host- and VPN-specific > identifying information in a more flexible and maintainable way. > > -Dan > > > On Sat, Apr 25, 2020 at 5:24 PM Daniel Lenski wrote: >> >> On Thu, Apr 23, 2020, 10:27 PM Ralph Schmieder >> wrote: >>> >>> Because there’s always IT departments in large corporations who have silly >>> (in the eye of the beholder) rules and work-inhibiting standards and >>> policies. >>> >>> Say: can’t do split tunneling. Must use client X. Must run on THIS >>> hardware. There is no argument allowed. Either take it or leave it. So some >>> people will get creative. >> >> Oh definitely. I butted heads with a number of them while I was a >> consultant in 2015-20. That's pretty much how I got involved with >> OpenConnect in the first place: out of necessity and frustration. >> >> I can't say that I ever ran into a VPN which refused to work if I >> didn't spoof the exact device ID of another computer though. Ugh. >> >> Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
Ralph, You may be interested in https://gitlab.com/openconnect/openconnect/-/merge_requests/103 I'm proposing this as a more general-purpose replacement for the `openconnect_set_mobile_info` API function that you created a while back, to accommodate various little bits of host- and VPN-specific identifying information in a more flexible and maintainable way. -Dan On Sat, Apr 25, 2020 at 5:24 PM Daniel Lenski wrote: > > On Thu, Apr 23, 2020, 10:27 PM Ralph Schmieder > wrote: > > > > Because there’s always IT departments in large corporations who have silly > > (in the eye of the beholder) rules and work-inhibiting standards and > > policies. > > > > Say: can’t do split tunneling. Must use client X. Must run on THIS > > hardware. There is no argument allowed. Either take it or leave it. So some > > people will get creative. > > Oh definitely. I butted heads with a number of them while I was a > consultant in 2015-20. That's pretty much how I got involved with > OpenConnect in the first place: out of necessity and frustration. > > I can't say that I ever ran into a VPN which refused to work if I > didn't spoof the exact device ID of another computer though. Ugh. > > Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On Thu, Apr 23, 2020, 10:27 PM Ralph Schmieder wrote: > > Because there’s always IT departments in large corporations who have silly > (in the eye of the beholder) rules and work-inhibiting standards and policies. > > Say: can’t do split tunneling. Must use client X. Must run on THIS hardware. > There is no argument allowed. Either take it or leave it. So some people will > get creative. Oh definitely. I butted heads with a number of them while I was a consultant in 2015-20. That's pretty much how I got involved with OpenConnect in the first place: out of necessity and frustration. I can't say that I ever ran into a VPN which refused to work if I didn't spoof the exact device ID of another computer though. Ugh. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
Because there’s always IT departments in large corporations who have silly (in the eye of the beholder) rules and work-inhibiting standards and policies. Say: can’t do split tunneling. Must use client X. Must run on THIS hardware. There is no argument allowed. Either take it or leave it. So some people will get creative. Ralph Sent from my iPhone > On Apr 23, 2020, at 19:44, Daniel Lenski wrote: > > On Thu, Apr 23, 2020 at 10:29 AM yesi wrote: >> The aim is to use OpenConnect and to disguise the Linux as a Windows Client. > > Why? What is the point of disguising this client as another one? > Does the VPN actually *prevent* you from connecting unless you spoof > another device? Do the administrators yell at you if they see you are > using an “unauthorized” client? > > I don't fully understand why users want to do this. > > From the point of view of developing OpenConnect and getting it to > work with as many VPNs as possible, we want VPN admins to *see* that > many of their users are using OpenConnect, and to understand that they > need to take it seriously and test that it is supported as a client. > Indistinguishably spoofing the official clients doesn't help this. > >> Si, i apply the patch from Raph with the GIT clone repo (SHA of the last >> commit : 52bf0e97c8f6de9e057562a83e645075ffb98c2e) and i changed : >> - the conditional option from --os=linux-64 to --os=win >> - i gave the parameters handly into env.sh : OC_DEVICE_TYPE, >> OC_PLATFORM_VERSION, OC_MAC_ADDRESS >> >> for the ASA attributs : >> Session Attribute endpoint.anyconnect.devicetype >> Session Attribute endpoint.anyconnect.platformversion >> Session Attribute endpoint.anyconnect.deviceuniqueid >> Session Attribute endpoint.anyconnect.macaddress["0"] >> Session Attribute endpoint.anyconnect.publicmacaddress >> >> Here are the options given to the CLI : --os=win --local-hostname >> --useragent --version-string >> >> But i got an error after connecting : >> "unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date" >> Then i lost my connection to a local server. >> >> But, the patch does work fine. >> It would be nice to add it. :) > > I would propose that we add a CLI option, something like > `--local-attributes` (to go along with `--local-hostname`): > > - For AnyConnect, you could set, say "--local-attributes > devicetype=FOO,platformversion=BAR,deviceuniqueid=BLAHBLAHBLAH" > - For Juniper/Pulse, you could set "--local-attributes deviceid=BLAH" > - For GP, you could set "--local-attributes hostid=BLAHBLAHBLAHBLAH" > > … and we'd parse these into lists, and inject them into whatever bits > of protocol-specific junk and Trojans demand them. David, I can code > this up if it looks reasonable to you. > > Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On Thu, Apr 23, 2020 at 11:21 AM yesi wrote: > It advices to use AnyConnect on a Windows client to have support. I don't understand. > But i prefer Linux. It's good for your administrators to know that you're using OpenConnect on Linux, so that they'll make an effort to support it… right? If we pretend that you're using AnyConnect on Windows, and then the connection fails because of some subtle difference in OpenConnect's behavior, and this shows up in the logs… then your VPN's administrators will try to test with AnyConnect on Windows (since that appears to be what you're using) and they will find no problem… and give up… and no one will have any useful information to try to fix the problem. If they can *see* that you're using OpenConnect, that there's a failure… ideally they'll realize that they have clients using OpenConnect and will try to support them. Spoofing another client should, in my opinion, only be a last resort for when your VPN absolutely prevents you from connecting unless you spoof that client, and your VPN's administrators won't do anything to fix the situation. -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On 4/23/20 7:43 PM, Daniel Lenski wrote: On Thu, Apr 23, 2020 at 10:29 AM yesi wrote: The aim is to use OpenConnect and to disguise the Linux as a Windows Client. Why? What is the point of disguising this client as another one? Does the VPN actually *prevent* you from connecting unless you spoof another device? Do the administrators yell at you if they see you are using an “unauthorized” client? I don't fully understand why users want to do this. From the point of view of developing OpenConnect and getting it to work with as many VPNs as possible, we want VPN admins to *see* that many of their users are using OpenConnect, and to understand that they need to take it seriously and test that it is supported as a client. Indistinguishably spoofing the official clients doesn't help this. It advices to use AnyConnect on a Windows client to have support. But i prefer Linux. I understand your point of view. Peace. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On Thu, Apr 23, 2020 at 10:29 AM yesi wrote: > The aim is to use OpenConnect and to disguise the Linux as a Windows Client. Why? What is the point of disguising this client as another one? Does the VPN actually *prevent* you from connecting unless you spoof another device? Do the administrators yell at you if they see you are using an “unauthorized” client? I don't fully understand why users want to do this. From the point of view of developing OpenConnect and getting it to work with as many VPNs as possible, we want VPN admins to *see* that many of their users are using OpenConnect, and to understand that they need to take it seriously and test that it is supported as a client. Indistinguishably spoofing the official clients doesn't help this. > Si, i apply the patch from Raph with the GIT clone repo (SHA of the last > commit : 52bf0e97c8f6de9e057562a83e645075ffb98c2e) and i changed : > - the conditional option from --os=linux-64 to --os=win > - i gave the parameters handly into env.sh : OC_DEVICE_TYPE, > OC_PLATFORM_VERSION, OC_MAC_ADDRESS > > for the ASA attributs : > Session Attribute endpoint.anyconnect.devicetype > Session Attribute endpoint.anyconnect.platformversion > Session Attribute endpoint.anyconnect.deviceuniqueid > Session Attribute endpoint.anyconnect.macaddress["0"] > Session Attribute endpoint.anyconnect.publicmacaddress > > Here are the options given to the CLI : --os=win --local-hostname > --useragent --version-string > > But i got an error after connecting : > "unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date" > Then i lost my connection to a local server. > > But, the patch does work fine. > It would be nice to add it. :) I would propose that we add a CLI option, something like `--local-attributes` (to go along with `--local-hostname`): - For AnyConnect, you could set, say "--local-attributes devicetype=FOO,platformversion=BAR,deviceuniqueid=BLAHBLAHBLAH" - For Juniper/Pulse, you could set "--local-attributes deviceid=BLAH" - For GP, you could set "--local-attributes hostid=BLAHBLAHBLAHBLAH" … and we'd parse these into lists, and inject them into whatever bits of protocol-specific junk and Trojans demand them. David, I can code this up if it looks reasonable to you. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On 4/17/20 7:45 PM, yesi wrote: On 4/17/20 6:11 PM, David Woodhouse wrote: I think you can set at least the unique ID with the openconnect_set_mobile_info() function, which isn't exposed on the command line. Do you want to try using that and let us know if it does what you expect? There was a patch at http://lists.infradead.org/pipermail/openconnect-devel/2016-July/003808.html which attempted to add support for it for non-mobile platforms but it needed a little more work. We should probably revisit that. Hi, Finally, i've give a try with success. The aim is to use OpenConnect and to disguise the Linux as a Windows Client. Si, i apply the patch from Raph with the GIT clone repo (SHA of the last commit : 52bf0e97c8f6de9e057562a83e645075ffb98c2e) and i changed : - the conditional option from --os=linux-64 to --os=win - i gave the parameters handly into env.sh : OC_DEVICE_TYPE, OC_PLATFORM_VERSION, OC_MAC_ADDRESS for the ASA attributs : Session Attribute endpoint.anyconnect.devicetype Session Attribute endpoint.anyconnect.platformversion Session Attribute endpoint.anyconnect.deviceuniqueid Session Attribute endpoint.anyconnect.macaddress["0"] Session Attribute endpoint.anyconnect.publicmacaddress Here are the options given to the CLI : --os=win --local-hostname --useragent --version-string But i got an error after connecting : "unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date" Then i lost my connection to a local server. But, the patch does work fine. It would be nice to add it. :) Peace. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On 4/17/20 6:11 PM, David Woodhouse wrote: I think you can set at least the unique ID with the openconnect_set_mobile_info() function, which isn't exposed on the command line. Do you want to try using that and let us know if it does what you expect? There was a patch at http://lists.infradead.org/pipermail/openconnect-devel/2016-July/003808.html which attempted to add support for it for non-mobile platforms but it needed a little more work. We should probably revisit that. I note modern AnyConnect also sends a 'unique-id-global' as well as the 'unique-id' field. Hi David, I am not a dev. I gave in the previous post the logs from AnyConnect v10.x that were seen into the ASA. I would like to give a try if you say me what to do step by step, to run on Linux. Here are the missing logs from ASA for a openconnect client : Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.devicetype = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.platformversion = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.deviceuniqueid = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.macaddress["0"] = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.publicmacaddress = This attribute "endpoint.anyconnect.platformversion" is not necessary since with option of "openconnect --version-string" is enough. The last ones are "endpoint.anyconnect.macaddress["0"]" and "endpoint.anyconnect.publicmacaddress" would be great. But for the filter DAP of Cisco/ASA, the esential attribute "endpoint.anyconnect.deviceuniqueid" is needed. I put different options to correspond to a Windows client as a AnyConnect client log. y. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
On Thu, 2020-04-16 at 22:46 +0200, yesi wrote: > Hi, > > Thank you for your works. > > > I was given a windows laptop with Anyconnect client to connect to > the > VPN server. > > There is an registered unique ID (i suppose > endpoint.anyconnect.deviceuniqueid) that was made when the windows > client was connected for the first time. > > So before that the filter was applied, using Openconnect on Linux to > connect to Cisco/ASA SSL VPN does work. > > > But today, the admin to secure better uses DAP of Cisco/ASA, to > filter > by that unique ID. I have that ID. > > It seems that it uses |%ASA-7-734003|. > > From [1], there are various options that can be given. > > Openconnect does not give some options when connecting into the ASA > logs > : it does not give that ID when logging. i do not see these > informations > into the ASA logs. > > But AnyConnect client on a Windows station give to ASA logs some > endpoint options as : > > - endpoint.anyconnect.deviceuniqueid > > - endpoint.anyconnect.macaddress > > - endpoint.anyconnect.address > > - etc > > > What i would like to use is to give the option of > endpoint.anyconnect.deviceuniqueid when running openconnect. > > I am not it is implemented, isn't it ? > > If yes, which option could i use ? > > If not, do you think that option could later be added ? > > Actually, i can use the 8.05, 8.06 and Git version. > > > Thank you in advance for return. I think you can set at least the unique ID with the openconnect_set_mobile_info() function, which isn't exposed on the command line. Do you want to try using that and let us know if it does what you expect? There was a patch at http://lists.infradead.org/pipermail/openconnect-devel/2016-July/003808.html which attempted to add support for it for non-mobile platforms but it needed a little more work. We should probably revisit that. I note modern AnyConnect also sends a 'unique-id-global' as well as the 'unique-id' field. smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
Here are the log from AnyConnect client on ASA : Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.radius["8"]["1"] = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.radius["4121"]["1"] = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.radius["9"]["1"] = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.grouppolicy = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.ipaddress = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.username = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.username1 = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.username2 = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.tunnelgroup = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.clientversion = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.platform = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.devicetype = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.platformversion = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.deviceuniqueid = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.macaddress["0"] = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.useragent = Apr 16 16:03:00 ip_addr_local %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.publicmacaddress = The logs from Openconnect client on ASA : Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.radius["8"]["1"] = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.radius["4121"]["1"] = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.radius["9"]["1"] = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.grouppolicy = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.ipaddress = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.username = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.username1 = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.username2 = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute aaa.cisco.tunnelgroup = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.clientversion = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.platform = Apr 16 13:04:28 local_ip_addr %ASA-7-734003: DAP: User user-name, Addr public_ip_addr_client: Session Attribute endpoint.anyconnect.useragent = ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP
Hi, Thank you for your works. I was given a windows laptop with Anyconnect client to connect to the VPN server. There is an registered unique ID (i suppose endpoint.anyconnect.deviceuniqueid) that was made when the windows client was connected for the first time. So before that the filter was applied, using Openconnect on Linux to connect to Cisco/ASA SSL VPN does work. But today, the admin to secure better uses DAP of Cisco/ASA, to filter by that unique ID. I have that ID. It seems that it uses |%ASA-7-734003|. From [1], there are various options that can be given. Openconnect does not give some options when connecting into the ASA logs : it does not give that ID when logging. i do not see these informations into the ASA logs. But AnyConnect client on a Windows station give to ASA logs some endpoint options as : - endpoint.anyconnect.deviceuniqueid - endpoint.anyconnect.macaddress - endpoint.anyconnect.address - etc What i would like to use is to give the option of endpoint.anyconnect.deviceuniqueid when running openconnect. I am not it is implemented, isn't it ? If yes, which option could i use ? If not, do you think that option could later be added ? Actually, i can use the 8.05, 8.06 and Git version. Thank you in advance for return. y. 1 : https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs9.html | //| ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
