Does OpenConnect give the Pulse appliance the hostname associated with user authentication?
Daniel Lenski
dlenski at gmail.com
Thu Nov 3 17:58:21 PDT 2022
On Thu, Nov 3, 2022 at 2:18 PM Schütz Dominik
<Dominik.Schuetz at esolutions.de> wrote:
> Hi,
>
> I have a question in connection with OpenConnect (currently v9.01+74+g76dc679-0+113.1) and the Pulse Secure Appliance (currently 9.1R14).
>
> We authenticate with "protocol=pulse" and "protocol=nc" either with username + password (case 1) or with our smartcard (case 2).
>
>
> We would like to add a check on our Pulse appliance, if the hostname with which the user authenticates via username + password or smartcard is in a certain Active Directory group, it should be moved to another role.
>
> My question now is whether OpenConnect gives the Pulse Appliance the host name associated with the user authentication?
Yes, this value is sent during authentication and tunnel
connection/reconnection. See the source code of the precise build you
are running: https://gitlab.com/openconnect/openconnect/blob/76dc679/pulse.c#L1411
BY DEFAULT, the value that OpenConnect sends on POSIX systems is the
output of `uname -n`.
However, the end user can easily send any other desired hostname to
the server using:
# This works for all supported protocols, not just Pulse
openconnect --local-hostname="some.other.hostname" --protocol=pulse ...
-Daniel
More information about the openconnect-devel
mailing list