Protocol F5/BigIP How to debug handshake
Daniel Lenski
dlenski at gmail.com
Tue Oct 18 11:28:36 PDT 2022
On Fri, Oct 14, 2022 at 7:48 AM LeJacq, Jean Pierre
<jeanpierre.lejacq at quoininc.com> wrote:
>
> I'm trying to use OpenConnect's with the relatively new F5 protocol support.
>
> I'm running into problems with the initial handshake and looking for some
> advice on how to debug.
>
> My environment is the following. I have confirmed that I can connect using the
> Windows 11 F5 client.
>
> OS: Debian Buster (stable)
> Version: OpenConnect version v9.01-1~bpo11+1.
>
> The problem seems to be that instead of establishing the connection, I'm
> immediately redirected to a logout page saying this is an unsupported browser.
> Using an explicit Windows 11 user agent string does not eliminate the warning
> about a non-supported browser.
Based on your site's "supported browsers" page
(http://atnyulmc.org/help-documentation/quick-view-os-browser-support-matrix),
it appears that they allow only a ridiculously narrow and mostly
obsolete set of browsers, e.g. only the 32-bit (😵) version of IE11
(😵) on Windows 10 (😵). I played around with a few different values
and couldn't get it to work, but didn't go so far as trying an actual
Windows browser.
Can you try to emulate <whatever the Windows 11 F5 client sends exactly>?
> I'm thinking I need to provide another cookie but don't see how to determine
> which one might be required.
If additional parameters or requests/responses are needed to satisfy
this server, and you can't figure them out by guessing or inspecting
the official client… you would like need to get a MITM capture of the
official client interacting with your server. I've written some
documentation of how to do that here:
https://www.infradead.org/openconnect/mitm.html
However, since the login apparently uses an *external web browser*, it
should be fairly easy for you to follow the browser/server interaction
using IE/Firefox/Chrome dev tools in a supported Windows browser. If
you can capture the F5_ST and MRHSession cookies from a successful
authentication on Windows, then you can use them to (re)connect from
OpenConnect with:
openconnect --protocol=f5 my.server.com --cookie "MRHSession=VALUE; F5_ST=VALUE"
Dan
More information about the openconnect-devel
mailing list