Building for OpenWrt
lobbia
lobbia at 163.com
Fri Apr 14 09:54:59 PDT 2023
See my inline comments below starting with 'Leo:'. Thanks!
在 2023-04-14 00:36:16,"Daniel Lenski" <dlenski at gmail.com> 写道:
>On Wed, Apr 12, 2023 at 11:29 PM lobbia <lobbia at 163.com> wrote:
>>
>> In my case, v9.01+ doesn't work for my openwrt. My company's Cisco ASA server prefers Azure SSO over user/pass sign-in. When using openconnect v9.01 to connect, it propsed SSO in capacilities list and then got suck due to lack of sufficient support e.g. GUI, TPM, Azure etc. But when using v8.20, it could negotiate and agree on user/pass sign-in with ASA so I can connect successfully.
>
>Yes, we're aware of this issue. I added the `--no-external-auth`
>option in https://gitlab.com/openconnect/openconnect/-/merge_requests/398;
>it will prevent OpenConnect from advertising this "less scriptable"
>authentication mode.
>
>(@dwmw, we should merge this one before the next release!)
>
>> Another question is, based on analysis, I see 2 more local_ids in my HTTP POST request xml form for device-id attributes: computer-name, and uniqu-id-global, from my client app Cisco AnyConnect v4.9.06037. Below is the example. I don't know how difficult to extend support to these 2 new items in code, can I just add 2 new items in auth.c and cstp.c like what you did in the commit f73a8268 "Add CLI option --local-id, generic id_options structure, and API function openconnect_set_id_option"? Or it's indeed much more complicated, and have you saw this requirement also from other users and will have a plan to support later?
>>
>> HTTP POST XML example:
>> <?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init"><version who="vpn">4.9.06037</version><device-id unique-id="xxxxxxxxxxCF7963BA42EF2701DCC3C9E20007E1E30DAC9169940D8888888888" unique-id-global="xxxxxxxxxx4C9A04F98E4FC47BD4698888888888" computer-name="xxx-xxx" platform-version="10.0.22000" device_type="xxxxxx xxxxxx">win</device-id><mac-address-list><mac-address>xx-xx-xx-xx-xx-xx</mac-address></mac-address-list><group-access>https://xxx.com/</group-access></config-auth>
>
>1. Is "computer-name" identical to the value provided by the
>longstanding `--local-hostname` option, or is it distinct? Is it
>ACTUALLY REQUIRED for your login to succeed?
>2. Looks like unique-id and unique-id-global are distinct? Yes, if
>unique-id-global is DISTINCT AND REQUIRED, then it should just be Yet
>Another Thing You Can Set™ with `--local-id`.
>
Leo: yes "computer-name" has the same value of `--local-hostname` . Meanwhile unique-id and unique-id-global are distinct.
They are not required for successful login. But my company has a strict policy and if it's found using opensource app to connect VPN the laptop might be locked and formated. So I'm trying best effort to 100% simulate Anyconnect behavior.
>Please submit a diff (or a merge-request on top of the
>https://gitlab.com/openconnect/openconnect/-/tree/add_local_id_option
>branch) to add these in the way that you think will make them work
>with your VPN, and I'll try to clean 'em up and incorporate them into
>the MR.
>
Leo: Just updated the code of auth.c then rebuilt on Ubuntu. It works as expected including computer-name and unique-id-global. MR has also subbmitted: https://gitlab.com/openconnect/openconnect/-/merge_requests/465
Feel free to revise. Thanks!
>Thanks!
More information about the openconnect-devel
mailing list