Available for support for F5 + MFA

Daniel Lenski dlenski at gmail.com
Wed Aug 4 09:08:11 PDT 2021


On Tue, Aug 3, 2021 at 9:08 AM Antonio Petrelli
<antonio.petrelli at gmail.com> wrote:
>
> Hello again
> From now on, the edited values are between <angle-brackets>, but the
> rest is literal.ù
> Ok after login, I land on a page that says "Connect to VPN".
>
> Clicking on it this request is sent:
>
> GET /vdesk/get_token_for_sessid.php3 HTTP/1.0
> Host: <corporate-vpn-host-name>
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:90.0)
> Gecko/20100101 Firefox/90.0
> Accept: */*
> Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
> Accept-Encoding: gzip, deflate, br
> DNT: 1
> Connection: keep-alive
> Referer: https://<corporate-vpn-host-name>/vdesk/webtop.eui?webtop=/Common/Portal_<CORPORATE-VPN-HOST-NAME-IN-UPPERCASE>_Webtop&webtop_type=webtop_full
> Cookie: LastMRH_Session=<4-bytes-hex-encoded>; TIN=66000;
> MRHSession=<MRHSession-Cookie>; F5_ST=<F5-ST-Cookie>; F5_fullWT=1
> Sec-Fetch-Dest: empty
> Sec-Fetch-Mode: cors
> Sec-Fetch-Site: same-origin

Since you've already arrived at the "webtop" interface, you've already
completed the login process and you already have the credential (the
cookie named 'MRHSession') which OpenConnect requires to be able to
actually configure and connect to the VPN tunnel.

I believe you should be able to simply capture the value of
<MRHSession-Cookie> (using the browser dev tools), and then run
OpenConnect as follows:

    openconnect --dump -vvvv --prot=f5 \
      --cookie "MRHSession=<MRHSession-Cookie>" \
      <corporate-vpn-host-name>

(Important: do NOT close the browser window before running this
command; that may cause it to logoff the session and invalidate the
cookie)

I'll wager 70% odds that this Just Works. If that doesn't work, then I
guess we'll have to figure out what the "token" and
"access-session-token" values mean, and how they get used by the f5vpn
binary.

Dan



More information about the openconnect-devel mailing list