Connecting with Linux when the CSD is available

Sun Dec 6 18:52:19 PST 2015

Kevin,

I agree that at any time the admins can change the settings and break my log in.  That is why I hope to put together an easy how-to for capturing the latest hostscan results from a Windows machine.  That way I can quickly modify the data that the wrapper script posts back to the gateway.  

I know nothing about PNaCl to comment on it.  

For Android, you are probably right in that in most use cases just posting back the location is all that is needed.  For me I am mimicking a Windows machines and I am required to pass back the FW, AS, and AV values as well.  

Hopefully, no matter what the admins configure, as long as you can get one OS to connect you can get another OS to connect by just mimicking the valid one.  The hard part is capturing the encrypted data so you can mimic it.

Thanks

--Andy

-----Original Message-----
From: Kevin Cernekee [mailto:cernekee at gmail.com] 
Sent: Sunday, December 6, 2015 11:34 AM
To: Andrew Falk; Antonio Borneo
Cc: David Woodhouse; openconnect-devel
Subject: Re: Connecting with Linux when the CSD is available

On Fri, Dec 4, 2015 at 6:24 PM, Andrew Falk <falk0069 at gmail.com> wrote:
> I got two other co-workers hook up this way as well and we are all 
> successfully able to connect now.  I'm having my co-workers use the 
> "--os-android" flag, but I question if this isn't going to lead to 
> other issues in the future.  All, I want to do is continue if the CSD 
> failed to download or skip it altogether.

I wouldn't expect any problems as long as the ASA configuration doesn't change.  But your admin could (inadvertently or otherwise) modify the hostscan/posture settings in a way that breaks this configuration.

BTW, there is a new Chrome OS AnyConnect client that we may want to learn how to mimic.  It's implemented using PNaCl, which means it wouldn't be possible for the gateway to send down native CSD binaries to probe the system.  In this sense it is similar to iOS.

> What I'd like to eventually do is put together a tutorial for other 
> Linux users who are stuck.  I spent a long time getting this to work 
> and I think others might find it useful.

For the Android case, it would be easy enough to add code to openconnect that POSTs an appropriate CSD response without needing a wrapper script.

I think you could probably extend this to cover other OSes, e.g. if "--os win" is specified it could download the data.xml file, find the appropriate "os_check" clause, and send the corresponding "location"
name.  In your case this was "Default" but it varies.  This wouldn't be enough to satisfy checks for up-to-date antivirus software, service pack levels, registry keys, etc. but it might cover the more common situations anyway.