In some cases hostscan can be looking for the existence of specific registry keys or software. Without the correct values the connection may be rejected. On the other hand, failure to provide the correct values may result in a successful connection but could result in being placed in a restricted vlan. It really comes down to how the administrators configured hostscan. If you find yourself in a scenario where the static CSD files (such as the one you linked) are not allowing you to connect then you will need to MITM the correct values from an AnyConnect client. That's where hostscan-bypass comes in handy! On Fri, Aug 17, 2018 at 3:10 PM Daniel Lenski <dlenski at gmail.com> wrote: > > On Fri, Aug 17, 2018 at 7:14 AM, Corey Gilks <coreygilks at gmail.com> wrote: > > All, > > > > I'm not certain if this is the appropriate place for this- if not I > > apologize! I was doing some research on generating openconnect CSD > > files and stumbled upon this discussion: > > > > http://lists.infradead.org/pipermail/openconnect-devel/2015-January/002544.html > > > > I wanted to let everyone know that I have automated this process. It's > > now possible to automatically generate openconnect CSD files in order > > to bypass the Cisco hostscan requirement. Even if the organization is > > not publishing binaries for your specific OS you can still connect. > > You can find the project here: > > > > https://github.com/Gilks/hostscan-bypass > > > > I realize this isn't really a question but I wanted to notify the > > openconnect dev team in case someone asks this again in the future! > > > > Very nice! I wish I had known that other people had MITM'ed the > (incredibly dumb) CSD/hostscan binaries? I had literally wasted weeks > trying to work around broken Linux and Windows hostscan binaries. > > David Woodhouse recently added a static spoofer script to openconnect: > http://git.infradead.org/users/dwmw2/openconnect.git/commitdiff/6eb0a6e3c4e8ae160154a4039a150c4d6a97b7ca > > It's basically a version of what your hostscan-bypass does, but with > pre-filled-in values. Seems to get the job done on the Cisco VPNs that > require it? is there any advantage to using a customized version, > other than simply to be more honest in what you're reporting to the > server?