Re: Authentication type EAP-Anyconnect

2018-08-17 Thread Daniel Lenski 
On Fri, Aug 17, 2018 at 8:22 AM,   wrote:
> Hi Dan and all,
>
> today i tryied to connect simulating os and client Windows, how you can
> see, if i use --no-xmlpost the server said "AnyConnect is not enabled
> on the VPN server", if i remove --no-xmlpost, the error remain the
> same.

Okay, that's not surprising… --no-xmlpost invokes a very old
authentication method, and it only fixes things on a small fraction of
Cisco servers.

> In attach the log with and without --no-xmlpost.
>
> For group, i am sure that VPNAnyconnect is the right group.
>
> I see with my network team that in the vpn server log, the attempt to
> access with openconnect use authentication method that is not MSCHAPv2.
>
> If i use VPN Anyconnect from android or windows the authentication
> method is MSCHAPv2 and it is good.
>
> Can i force MSCHAPv2?

No. MSCHAPv2 is an ancient and insecure authentication protocol
(https://en.wikipedia.org/wiki/MS-CHAP), which is basically
unnecessary and useless over modern TLS. OpenConnect doesn't actually
support it.

I am somewhat doubtful that it is actually the problem here; I am
guessing your network admins are just picking out some message from
the logs like "WARNING: not authenticating using MSCHAPv2", and
claiming that is the problem here.

I have an idea… I had a problem like this before, and it was from the
Cisco client silently updating its own XML profile from the server,
and changing the "usergroup", without any notification. Look around
for an XML file containing "AnyConnectPreferences" on your Windows
computer where the connection is working. It might be in
"%USERPROFILE%\AppData\Local\Cisco" as Preferences.xml. It should look
something like this:



myusername


DEADBEEFDEADBEEFDEADBEEF1234567890ABCDEF



MyVPN
x.x.x.150
MyGroup


none

true

false


Is the "DefaultGroup" set? If so, try adding `--usergroup MyGroup` to
the openconnect command line. If this works… I can sort of explain
why. It's a weird crusty corner of how the Cisco client and server
interact.

-Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Authentication type EAP-Anyconnect

2018-08-17 Thread alessandro . narzisi 
Hi Dan and all,

today i tryied to connect simulating os and client Windows, how you can
see, if i use --no-xmlpost the server said "AnyConnect is not enabled
on the VPN server", if i remove --no-xmlpost, the error remain the
same.

In attach the log with and without --no-xmlpost.

For group, i am sure that VPNAnyconnect is the right group.

I see with my network team that in the vpn server log, the attempt to
access with openconnect use authentication method that is not MSCHAPv2.

If i use VPN Anyconnect from android or windows the authentication
method is MSCHAPv2 and it is good.

Can i force MSCHAPv2?

Thanks

Il giorno gio, 16/08/2018 alle 15.26 -0700, Daniel Lenski ha scritto:
> On Thu, Aug 16, 2018 at 1:17 PM,  
> wrote:
> > Hi Daniel and list,
> > 
> > in attach the dump.
> > 
> > I tryied to add also --os=android but i received another error
> > (dump in
> >file  _android attached)
> > 
> > Thanks for support
> 
> Thanks. This is useful.
> 
> - What does this have to do with "EAP-Anyconnect"? Nothing in the log
> mentions EAP.
> 
> - Are you *sure* that you are selecting the right auth-group?
> ("VPNAnyConnect" vs "trn")
> 
> - All that said, the fact that the errors are completely different
> for
> Android vs. Linux suggests that the server may be trying to do some
> kind of OS/client detection. You might want to try options like these
> to see if they get the server to cooperate…
> 
> spoof AnyConnect for Windows:
> --os=win --useragent='Cisco AnyConnect VPN Agent for Windows
> 4.2'
> use a really old authentication mechanism:
> --no-xmlpost
> 
> -Dan
> 
> ps- Thealessandro@stefania-VPCEH2N1E:~$ sudo openconnect --dump -v --os=win 
--useragent="Cisco AnyConnect VPN Agent for Windows 4.2" xxx.xxx.xxx.xxxPOST 
https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found

Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
--servercert 
sha256:34971885c60017dfc2a8c6b582386cac93485d968d2b863bb6d0dd845ac76cf7
Enter 'sì' to accept, 'no' to abort; anything else to view: sì
Connected to HTTPS on xxx.xxx.xxx.xxx
> POST / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 204
> 
> 
>  who="vpn">v7.08winhttps://xxx.xxx.xxx.xxx
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 17 Aug 2018 15:01:31 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< 
< 
< 
< TernaAnyConnect
< VPNAnyConnect
< 1518074870349
< 
< 
< Login
< Please enter your username and password.
< 
< 
< 
< 
< 
< VPNAnyConnect
< trn
< 
< 
< 
< 
POST XML abilitato
Please enter your username and password.
GROUP: [VPNAnyConnect|trn]:VPNAnyConnect
POST https://xxx.xxx.xxx.xxx/
> POST / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 0
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 247
> 
> 
>  who="vpn">v7.08winhttps://xxx.xxx.xxx.xxx/VPNAnyConnect
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 17 Aug 2018 15:01:36 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< 
< 
< 
< TernaAnyConnect
< VPNAnyConnect
< 1518074870349
< 
< 
< Login
< Please enter your username and password.
< 
< 
< 
< 
< 
< VPNAnyConnect
< trn
< 
< 
< 
< 
POST XML abilitato
Please enter your username and password.
Username:myuser
Password:
POST https://xxx.xxx.xxx.xxx/
> POST / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 428
> 
> 
>  who="vpn">v7.08win
> TernaAnyConnect
> VPNAnyConnect
> 1518074870349
> myusermypasswordVPNAnyConnect
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 17 Aug 2018 15:01:43 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP