Re: Option for endpoint.anyconnect.deviceuniqueid of Cisco/ASA DAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Because there’s always IT departments in large corporations who have silly (in the eye of the beholder) rules and work-inhibiting standards and policies. 

Say: can’t do split tunneling. Must use client X. Must run on THIS hardware. There is no argument allowed. Either take it or leave it. So some people will get creative.

Ralph

Sent from my iPhone

> On Apr 23, 2020, at 19:44, Daniel Lenski <dlenski@xxxxxxxxx> wrote:
> 
> On Thu, Apr 23, 2020 at 10:29 AM yesi <yesi@xxxxxxxxxx> wrote:
>> The aim is to use OpenConnect and to disguise the Linux as a Windows Client.
> 
> Why? What is the point of disguising this client as another one?
> Does the VPN actually *prevent* you from connecting unless you spoof
> another device? Do the administrators yell at you if they see you are
> using an “unauthorized” client?
> 
> I don't fully understand why users want to do this.
> 
> From the point of view of developing OpenConnect and getting it to
> work with as many VPNs as possible, we want VPN admins to *see* that
> many of their users are using OpenConnect, and to understand that they
> need to take it seriously and test that it is supported as a client.
> Indistinguishably spoofing the official clients doesn't help this.
> 
>> Si, i apply the patch from Raph with the GIT clone repo (SHA of the last
>> commit : 52bf0e97c8f6de9e057562a83e645075ffb98c2e) and i changed :
>> - the conditional option from --os=linux-64 to --os=win
>> - i gave the parameters handly into env.sh :  OC_DEVICE_TYPE,
>> OC_PLATFORM_VERSION, OC_MAC_ADDRESS
>> 
>> for the ASA attributs :
>> Session Attribute endpoint.anyconnect.devicetype
>> Session Attribute endpoint.anyconnect.platformversion
>> Session Attribute endpoint.anyconnect.deviceuniqueid
>> Session Attribute endpoint.anyconnect.macaddress["0"]
>> Session Attribute endpoint.anyconnect.publicmacaddress
>> 
>> Here are the options given to the CLI : --os=win --local-hostname
>> --useragent --version-string
>> 
>> But i got an error after connecting :
>> "unknown reason 'attempt-reconnect'. Maybe vpnc-script is out of date"
>> Then i lost my connection to a local server.
>> 
>> But, the patch does work fine.
>> It would be nice to add it. :)
> 
> I would propose that we add a CLI option, something like
> `--local-attributes` (to go along with `--local-hostname`):
> 
> - For AnyConnect, you could set, say "--local-attributes
> devicetype=FOO,platformversion=BAR,deviceuniqueid=BLAHBLAHBLAH"
> - For Juniper/Pulse, you could set "--local-attributes deviceid=BLAH"
> - For GP, you could set "--local-attributes hostid=BLAHBLAHBLAHBLAH"
> 
> … and we'd parse these into lists, and inject them into whatever bits
> of protocol-specific junk and Trojans demand them. David, I can code
> this up if it looks reasonable to you.
> 
> Dan

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux