Connecting with Linux when the CSD is available
Kevin Cernekee
cernekee at gmail.com
Sun Dec 6 09:33:51 PST 2015
On Fri, Dec 4, 2015 at 6:24 PM, Andrew Falk <falk0069 at gmail.com> wrote:
> I got two other co-workers hook up this way as well and we are all
> successfully able to connect now. I'm having my co-workers use the
> "--os-android" flag, but I question if this isn't going to lead to other
> issues in the future. All, I want to do is continue if the CSD failed to
> download or skip it altogether.
I wouldn't expect any problems as long as the ASA configuration
doesn't change. But your admin could (inadvertently or otherwise)
modify the hostscan/posture settings in a way that breaks this
configuration.
BTW, there is a new Chrome OS AnyConnect client that we may want to
learn how to mimic. It's implemented using PNaCl, which means it
wouldn't be possible for the gateway to send down native CSD binaries
to probe the system. In this sense it is similar to iOS.
> What I'd like to eventually do is put together a tutorial for other Linux
> users who are stuck. I spent a long time getting this to work and I think
> others might find it useful.
For the Android case, it would be easy enough to add code to
openconnect that POSTs an appropriate CSD response without needing a
wrapper script.
I think you could probably extend this to cover other OSes, e.g. if
"--os win" is specified it could download the data.xml file, find the
appropriate "os_check" clause, and send the corresponding "location"
name. In your case this was "Default" but it varies. This wouldn't
be enough to satisfy checks for up-to-date antivirus software, service
pack levels, registry keys, etc. but it might cover the more common
situations anyway.
More information about the openconnect-devel
mailing list