[PATCH] provide enhanced device info during authentication

Ralph Schmieder ralph.schmieder at gmail.com
Fri Jul 22 08:21:24 PDT 2016 

this patch provides additional detail when authenticating to the head-end. Most notably, ASA headends will show this:

AnyConnect-Parent:
  Tunnel ID    : 23.1
  Public IP    : 172.16.33.14
  Encryption   : none                   Hashing      : none
  TCP Src Port : 37483                  TCP Dst Port : 443
  Auth Mode    : userPassword
  Idle Time Out: 30 Minutes             Idle TO Left : 21 Minutes
  Client OS    : linux-64
  Client OS Ver: Linux 3.19.0-61-generic #69~14.04.1-Ubuntu SMP Thu Jun 9 09:09:13 UTC 2016 x86_6     <<<< this
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Linux 4.2.02075
  Bytes Tx     : 4464                   Bytes Rx     : 967
  Pkts Tx      : 3                      Pkts Rx      : 1
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0


Other information (like platform, UUID or MAC addresses) can potentially be used in CSD to lockout e.g. Virtual Machines which makes it desirable to have some control over this information as well.

From main.c:

====%<====

ONLY implemented for linux-64, can be made work for other platforms, too.
ONLY when '--os=linux-64' is specified on command line
			   
read env variables for device information provided during authentication
this includes:

- device type (from 'dmidecode'), e.g. 'VMware, Inc. VMware Virtual Platform'
- platform version (from 'uname -srvp'), e.g. 'Linux 3.19.0-61-generic #69~14.04.1-Ubuntu SMP Thu Jun 9 09:09:13 UTC 2016 x86_64'
- uuid (some 32 byte hex value)
- MAC address list (use first MAC address from interface which has default gateway)

Sample output in <device-id> and <mac-address> elements:

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply">
	<version who="vpn">v7.07-lalala</version>
	<device-id device-type="VMware, Inc. VMware Virtual Platform" platform-version="Linux 3.19.0-61-generic #69~14.04.1-Ubuntu SMP Thu Jun 9 09:09:13 UTC 2016 x86_64" unique-id="AB943CB45BB199B17E2EE073BD690CA94A89E2E539845701EEB1CC7C4C9666D5">linux-64</device-id>
	<mac-address-list>
		<mac-address>00-0c-29-1a-ee-36</mac-address>
	</mac-address-list>
	[...]
</config-auth>

This is entirely optional to provide better compatibility as this information may show
in the ASA head-end output or can be used for CSD evaluation.

sample script provided (env.sh), source script (provide password for 'sudo dmidecode')
provide -E to sudo to make sure environment is preserved

- source env.sh
- sudo -E openconnect ....

====%<====


It works for me... it seems a bit odd to 'misuse' the mobile_info vpn_info vars for this purpose. Looks to me that the vars should rather be named device_info as they do not only apply to mobile clients but also to 'regular' clients.

Also, how and when to apply these (currently only for OS==linux-64 and via OS env vars) is up for discussion.

-ralph



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-provide-detailed-device-info-for-linux-64.patch
Type: application/octet-stream
Size: 6839 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160722/2b883ef9/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-script-to-create-env-vars-for-addtl.-device-info.patch
Type: application/octet-stream
Size: 1405 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160722/2b883ef9/attachment-0003.obj>

More information about the openconnect-devel mailing list