Building for OpenWrt
Daniel Lenski
dlenski at gmail.com
Thu Apr 13 09:36:16 PDT 2023
On Wed, Apr 12, 2023 at 11:29 PM lobbia <lobbia at 163.com> wrote:
>
> In my case, v9.01+ doesn't work for my openwrt. My company's Cisco ASA server prefers Azure SSO over user/pass sign-in. When using openconnect v9.01 to connect, it propsed SSO in capacilities list and then got suck due to lack of sufficient support e.g. GUI, TPM, Azure etc. But when using v8.20, it could negotiate and agree on user/pass sign-in with ASA so I can connect successfully.
Yes, we're aware of this issue. I added the `--no-external-auth`
option in https://gitlab.com/openconnect/openconnect/-/merge_requests/398;
it will prevent OpenConnect from advertising this "less scriptable"
authentication mode.
(@dwmw, we should merge this one before the next release!)
> Another question is, based on analysis, I see 2 more local_ids in my HTTP POST request xml form for device-id attributes: computer-name, and uniqu-id-global, from my client app Cisco AnyConnect v4.9.06037. Below is the example. I don't know how difficult to extend support to these 2 new items in code, can I just add 2 new items in auth.c and cstp.c like what you did in the commit f73a8268 "Add CLI option --local-id, generic id_options structure, and API function openconnect_set_id_option"? Or it's indeed much more complicated, and have you saw this requirement also from other users and will have a plan to support later?
>
> HTTP POST XML example:
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">4.9.06037</version><device-id unique-id="xxxxxxxxxxCF7963BA42EF2701DCC3C9E20007E1E30DAC9169940D8888888888" unique-id-global="xxxxxxxxxx4C9A04F98E4FC47BD4698888888888" computer-name="xxx-xxx" platform-version="10.0.22000" device_type="xxxxxx xxxxxx">win</device-id><mac-address-list><mac-address>xx-xx-xx-xx-xx-xx</mac-address></mac-address-list><group-access>https://xxx.com/</group-access></config-auth>
1. Is "computer-name" identical to the value provided by the
longstanding `--local-hostname` option, or is it distinct? Is it
ACTUALLY REQUIRED for your login to succeed?
2. Looks like unique-id and unique-id-global are distinct? Yes, if
unique-id-global is DISTINCT AND REQUIRED, then it should just be Yet
Another Thing You Can Set™ with `--local-id`. 🤕
Please submit a diff (or a merge-request on top of the
https://gitlab.com/openconnect/openconnect/-/tree/add_local_id_option
branch) to add these in the way that you think will make them work
with your VPN, and I'll try to clean 'em up and incorporate them into
the MR.
Thanks!
More information about the openconnect-devel
mailing list