Authentication type EAP-Anyconnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Dan and all,

today i tryied to connect simulating os and client Windows, how you can
see, if i use --no-xmlpost the server said "AnyConnect is not enabled
on the VPN server", if i remove --no-xmlpost, the error remain the
same.

In attach the log with and without --no-xmlpost.

For group, i am sure that VPNAnyconnect is the right group.

I see with my network team that in the vpn server log, the attempt to
access with openconnect use authentication method that is not MSCHAPv2.

If i use VPN Anyconnect from android or windows the authentication
method is MSCHAPv2 and it is good.

Can i force MSCHAPv2?

Thanks

Il giorno gio, 16/08/2018 alle 15.26 -0700, Daniel Lenski ha scritto:
> On Thu, Aug 16, 2018 at 1:17 PM,  <alessandro.narzisi at gmail.com>
> wrote:
> > Hi Daniel and list,
> > 
> > in attach the dump.
> > 
> > I tryied to add also --os=android but i received another error
> > (dump in
> >    file  _android attached)
> > 
> > Thanks for support
> 
> Thanks. This is useful.
> 
> - What does this have to do with "EAP-Anyconnect"? Nothing in the log
> mentions EAP.
> 
> - Are you *sure* that you are selecting the right auth-group?
> ("VPNAnyConnect" vs "trn")
> 
> - All that said, the fact that the errors are completely different
> for
> Android vs. Linux suggests that the server may be trying to do some
> kind of OS/client detection. You might want to try options like these
> to see if they get the server to cooperate?
> 
>     spoof AnyConnect for Windows:
>         --os=win --useragent='Cisco AnyConnect VPN Agent for Windows
> 4.2'
>     use a really old authentication mechanism:
>         --no-xmlpost
> 
> -Dan
> 
> ps- The
-------------- next part --------------
alessandro at stefania-VPCEH2N1E:~$ sudo openconnect --dump -vvvvv --os=win --useragent="Cisco AnyConnect VPN Agent for Windows 4.2" xxx.xxx.xxx.xxxPOST https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found

Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:34971885c60017dfc2a8c6b582386cac93485d968d2b863bb6d0dd845ac76cf7
Enter 's?' to accept, 'no' to abort; anything else to view: s?
Connected to HTTPS on xxx.xxx.xxx.xxx
> POST / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 204
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v7.08</version><device-id>win</device-id><group-access>https://xxx.xxx.xxx.xxx</group-access></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 17 Aug 2018 15:01:31 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <opaque is-for="sg">
< <tunnel-group>TernaAnyConnect</tunnel-group>
< <group-alias>VPNAnyConnect</group-alias>
< <config-hash>1518074870349</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">VPNAnyConnect</option>
< <option>trn</option>
< </select>
< </form>
< </auth>
< </config-auth>
POST XML abilitato
Please enter your username and password.
GROUP: [VPNAnyConnect|trn]:VPNAnyConnect
POST https://xxx.xxx.xxx.xxx/
> POST / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 247
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v7.08</version><device-id>win</device-id><group-access>https://xxx.xxx.xxx.xxx/</group-access><group-select>VPNAnyConnect</group-select></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 17 Aug 2018 15:01:36 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <opaque is-for="sg">
< <tunnel-group>TernaAnyConnect</tunnel-group>
< <group-alias>VPNAnyConnect</group-alias>
< <config-hash>1518074870349</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">VPNAnyConnect</option>
< <option>trn</option>
< </select>
< </form>
< </auth>
< </config-auth>
POST XML abilitato
Please enter your username and password.
Username:myuser
Password:
POST https://xxx.xxx.xxx.xxx/
> POST / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: win
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 428
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version who="vpn">v7.08</version><device-id>win</device-id><opaque is-for="sg">
> <tunnel-group>TernaAnyConnect</tunnel-group>
> <group-alias>VPNAnyConnect</group-alias>
> <config-hash>1518074870349</config-hash>
> </opaque><auth><username>myuser</username><password>mypassword</password></auth><group-select>VPNAnyConnect</group-select></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 17 Aug 2018 15:01:43 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <opaque is-for="sg">
< <tunnel-group>TernaAnyConnect</tunnel-group>
< <group-alias>VPNAnyConnect</group-alias>
< <config-hash>1518074870349</config-hash>
< </opaque>
< <auth id="main">
< <title>Login</title>
< <message>Please enter your username and password.</message>
< <banner></banner>
< <error id="83" param1="" param2="">Login denied, unauthorized connection mechanism, contact your administrator.</error>
< <form>
< <input type="text" name="username" label="Username:"></input>
< <input type="password" name="password" label="Password:"></input>
< <select name="group_list" label="GROUP:">
< <option selected="true">VPNAnyConnect</option>
< <option>trn</option>
< </select>
< </form>
< </auth>
< </config-auth>
Login denied, unauthorized connection mechanism, contact your administrator.
Please enter your username and password.
Username:^Cfgets (stdin): Chiamata di sistema interrotta

-------------- next part --------------
alessandro at stefania-VPCEH2N1E:~$ sudo openconnect --dump -vvvvv --os=win --useragent="Cisco AnyConnect VPN Agent for Windows 4.2" --no-xmlpost xxx.xxx.xxx.xxx
[sudo] password di alessandro: 
GET https://xxx.xxx.xxx.xxx/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found

Certificate from VPN server "xxx.xxx.xxx.xxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert sha256:34971885c60017dfc2a8c6b582386cac93485d968d2b863bb6d0dd845ac76cf7
Enter 's?' to accept, 'no' to abort; anything else to view: s?
Connected to HTTPS on xxx.xxx.xxx.xxx
> GET / HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> 
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 17 Aug 2018 14:58:18 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://xxx.xxx.xxx.xxx/+webvpn+/index.html
SSL negotiation with xxx.xxx.xxx.xxx
Server certificate verify failed: signer not found
Connected to HTTPS on xxx.xxx.xxx.xxx
> GET /+webvpn+/index.html HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> 
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
< 
< 
< 
< <banner></banner>
< <message>Please enter your username and password.</message>
< 
< 
< <form method="post" action="/+webvpn+/index.html">
< 
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
< 
< 
< <select name="group_list" label="GROUP:">
< <option value="TernaAnyConnect" noaaa="0" >VPNAnyConnect</option><option value="trn" noaaa="0" >trn</option></select>
< 
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
< 
< 
< </form>
< </auth>
< 
Please enter your username and password.
GROUP: [VPNAnyConnect|trn]:VPNAnyConnect
Please enter your username and password.
Username:myuser
Password:
POST https://xxx.xxx.xxx.xxx/+webvpn+/index.html
> POST /+webvpn+/index.html HTTP/1.1
> Host: xxx.xxx.xxx.xxx
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.2
> Cookie: webvpnlogin=1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 64
> 
> group_list=TernaAnyConnect&username=myuser&password=terna%24023
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
< 
< 
< 
< <banner></banner>
< <message>Please enter your username and password.</message>
< 
< 
< <error id="89" param1="" param2="">AnyConnect is not enabled on the VPN server</error>
< <form method="post" action="/+webvpn+/index.html">
< 
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
< 
< 
< <select name="group_list" label="GROUP:">
< <option value="TernaAnyConnect" noaaa="0" >VPNAnyConnect</option><option value="trn" noaaa="0" >trn</option></select>
< 
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
< 
< 
< </form>
< </auth>
< 
AnyConnect is not enabled on the VPN server
Please enter your username and password.
Username:
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux