CSD use and impossible to connect (Linux)

Sat Jan 3 13:30:54 PST 2015

Hi all,

I have tried to investigate on my side with my newbie knowledge and
here is my thought :

cscan is trying to scan my laptop but unfortunately, it is doing a
prelogin check that follow a "posture" policy defined on Cisco
Anyconnect server as explained here :
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html#pgfId-10
Extract from this link :
"The prelogin assessment runs after the user connects to the ASA, but
before the user logs in. This assessment can check the remote device
for files, digital certificates, the OS, IP address, and Microsoft
Windows registry keys."
"The results of the checks of the prelogin assessment configured in
the graphical sequence editor, Figure 5-1, determine whether the
prelogin assessment results in the assignment of a particular prelogin
policy or a denied remote access connection."

As far as I understand I will never be able to connect to my company
VPN with OpenConnect because of this policies.

Any advice ?

Thanks in advance

--
Fromzy

2015-01-03 0:24 GMT+01:00 Fromzy <fromzy at gmail.com>:
> Hi all,
>
> Happy new year to all and thanks for your great job :)
>
> I'm trying to connect to my company VPN that uses CSD.
> I have tried to look at documentation and followed this blog post :
> http://blog.yunak.eu/2013/07/19/openconnect/ and I have used this
> csd-wrapper script :
> https://gist.github.com/l0ki000/56845c00fd2a0e76d688#file-csd-wrapper-sh
>
> Here is my launching command :
> openconnect --no-cert-check --csd-user=stef --no-xmlpost
> --csd-wrapper=csd-wrapperv4 https://MYCOMPANYSITE.com
>
> Unfortunately, I'm still blocked due to cstub that refuses to accept
> "prelogin' :
> Extract from cstub.log :
> [Sat Jan 03 00:08:52.876 2015][cstub][error][run] prelogin failed.
> [Sat Jan 03 00:08:52.876 2015][cstub][debug][hs_cache_reset] Resetting
> cache for '0'
> [Sat Jan 03 00:08:52.876 2015][cstub][debug][hs_transport_free]
> de-initialization
> [Sat Jan 03 00:08:52.877 2015][cstub][debug][hs_transport_free]
> de-initialization done
> [Sat Jan 03 00:08:52.877 2015][cstub][info][halt] goodbye (-14)
>
> I also have a cscan.log (extract at the end of the file);
> [Sat Jan 03 00:08:52.876 2015][cscan][debug][hs_transport_get_data]
> getting data done
> [Sat Jan 03 00:08:52.876
> 2015][cscan][debug][hs_download_file_to_buffer] downloaded file:
> /CACHE/sdesktop/data.xml (5
> 155 bytes)
> [Sat Jan 03 00:08:52.876 2015][cscan][debug][scan_set_cfg_from_host]
> config data downloaded.
> [Sat Jan 03 00:08:52.876 2015][cscan][debug][scan_set_cfg_from_host]
> set cfg data from host.
> [Sat Jan 03 00:08:52.876 2015][cscan][debug][prelogin] obtained CSD
> configuration data.
> [Sat Jan 03 00:08:52.876 2015][cscan][all][parse_config] Logging level
> directive (error) received from headend
> [Sat Jan 03 00:08:52.876 2015][cscan][all][parse_config] Logging level
> set to the minimum permissible (warn)
> [Sat Jan 03 00:08:52.876 2015][cscan][warn][parse_prelogin] prelogin denied!
> [Sat Jan 03 00:08:52.876 2015][cscan][error][cfg_process] prelogin failed.
> [Sat Jan 03 00:08:52.878 2015][cscan][all][reset_connection_cb] ***
> reset connection [1d90f30] from pid: [26383] ***
> [Sat Jan 03 00:08:52.878 2015][cscan][all][reset_connection_cb] cscan
> exiting due to broken IPC
> [Sat Jan 03 00:08:52.880 2015][cscan][all][halt] goodbye (1)
>
> What I see from openconnect output :
> Launching: /home/stef/.cisco/hostscan/bin/cstub -log error -ticket
> "4D5FAB8D6495C4245C9F14B7" -stub "0" -group "" -host
> "https://MYCOMPANYSITE/CACHE/sdesktop/install/result.htm" -certhash
> "9320F127C1C9D870AC5FAD2A755AA7CB:"
> Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> GET https://MYCOMPANYSITE/+CSCOE+/sdesktop/wait.html
> Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> ....
>
> Do not hesitate of course to ask as many information as needed
>
> Thanks in advance
>
> --
> Fromzy