Build of OpenConnect 7.05+ for EL6?

Oliver Hernandez mr.oliver.hernandez at gmail.com
Wed Jul 13 08:56:46 PDT 2016


I don't think it's the group, as my previous method of connecting
prompted me for the group.  After I login via the web, the URL is
appended with "/+CSCOE+/portal.html", which is not the group.

If you're referring to the preferences.xml file I see in my Windows VM
under C:\Users\Oliver\AppData\Local\Cisco\Cisco AnyConnect Secure
Mobility Client\, it doesn't have anything in it configuring the path
"/+CSCOE+/portal.html".

I'm actually testing the new libp11 library you linked to earlier in
this thread, and will leave karma for that as well as this new build
official build of OpenConnect.

On Wed, Jul 13, 2016 at 11:15 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Wed, 2016-07-13 at 07:58 -0400, Oliver Hernandez wrote:
>> With some one-on-one help from David (thank you!), I finally got
>> OpenConnect working to connect to my corporate Cisco VPN.  The
>> solution consists of a workaround, similar to one I have to do to
>> connect to another VPN with OpenConnect's Juniper support.
>>
>> Not having success connecting to the Cisco VPN, trying all kinds of
>> options and suggestions from David, I looked into maybe using the
>> workaround where I obtain a valid webvpn cookie and passing it to
>> OpenConnect.  The VPN has a website for initially connecting to the
>> VPN over the web and downloading the Cisco AnyConnect client, which of
>> course is Windows only.  Using a Windows VM, I connect to the VPN with
>> the IE browser, and obtain the webvpn cookie value.  At first, that
>> didn't work either.  But then I noticed the URL to the VPN in the
>> browser had a path appended to the FQDN after authenticating.  So I
>> ran OpenConnect with this extended URL, and voila, it connected!
>>
>> Granted, not ideal, and David wanted to help me figure out how to get
>> OpenConnect to mimic what the Cisco client does on the wire, but I can
>> live with this workaround.
>
> If you mean you start with a URL like https://vpn.example.com/group/
> then that's probably the '--usergroup' option.
>
> If the Cisco client *infers* that somehow when it's only given a
> hostname, that would be interesting to know. But if the Cisco client
> was provisioned with an XML file which specifies it, then they're no
> better off than we are...
>
> I suppose we *should* make the NM tool capable of eating the
> 'OrionAnyConnect.xml' file (or whatever it's called) from the Cisco
> client. In fact, openconnect itself *can* do that, I think — use the
> '-x foo.xml' option and it'll use hosts defined therein, *and* update
> the profile file with the latest from the server when it needs to.
>
> I'm glad you have it working though. Please could you also test (and
> leave karma for) the "official" build of OpenConnect for EL6 with
> PKCS#11 support:
> https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-ce3a833dca
>
> We should probably update EL7 too...
>
> --
> David Woodhouse                            Open Source Technology Centre
> David.Woodhouse at intel.com                              Intel Corporation



More information about the openconnect-devel mailing list