Connecting to anyconnect vpn - system verification

Daniel Lenski dlenski at gmail.com
Fri Jan 27 20:28:00 PST 2023


On Fri, Jan 27, 2023 at 3:58 AM Zbyněk Kačer <zbynek.kacer at pitris.info> wrote:
> So I tried openconnect

openconnect --version?

> So I tried
> openconnect --dump-http-traffic --csd-wrapper=/tmp/csd-post.sh
> gateway.host.some.server.com
>
> but the csd-post script seems never be called (I've inserted some echos
> at the beginning).

Are you 100% sure the `csd-post.sh` is an executable shell script, and
that you're not missing an error about it being non-executable, or
otherwise failing? Until we made improvements in recent releases
(https://gitlab.com/openconnect/openconnect/-/commits/7083a0ac52a95e02b2c75180888bc29bcc9f3bae/auth.c),
these errors were very easy to miss.

Assuming the script is indeed executable, it's possible that your
server detects that you're using a non-Cisco client, or running a
not-supported OS, and simply skips over CSD and goes straight to the
"limited access" mode.

Try adding combinations of the following to the command line and see
if they make any difference…

--useragent 'AnyConnect Windows 4.10.05095'
--os=win
--local-hostname=HOSTNAME_OF_YOUR_OFFICIALLY_SUPPORTED_WINDOWS_LAPTOP

Rinse/repeat/experiment until you hopefully find the magical
combination of options/versions/identifiers (refer to
https://www.infradead.org/openconnect/manual.html).

> Do I have to force openconnect to post the "scan" result to the gateway
> somehow?

No.
As far as we know, the Cisco servers either (a) require that you
complete CSD before authentication will complete and you'll be able to
connect the VPN tunnel, or (b) skip it.

Dan



More information about the openconnect-devel mailing list