search

dlenski / openconnect

OpenConnect client extended to support Palo Alto Networks' GlobalProtect VPN
679 stars 130 forks source link

Authentication successful, but cannot connect to hosts due to HIP requirement #36

Closed howey closed 6 years ago

howey commented 7 years ago

Problem description

  1. I ran openconnect-gp as follows: openconnect --protocol=gp

The authentication is successful, but I cannot connect to any hosts or resolve any hostnames.

The symptoms are the same as in #15, but the solution to #15 does not solve my issue.

However, I encountered this same behavior on my official Windows machine, and the way I was able to resolve that was by updating my virus protection. I believe that this issue is caused by the server caring about HIP information.

Operating system and openconnect-gp version

openconnect-gp version:

 OpenConnect version v7.08-152-g7a420ca
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

operating system

Linux dylan-XPS13 4.4.4 #1 SMP Mon Mar 7 21:35:48 CST 2016 x86_64 x86_64 x86_64 GNU/Linux

GlobalProtect VPN information

Please enter your username and password
Password: 
POST https://XXXX.com/ssl-vpn/login.esp
Attempting to connect to server X.X.X.X:443
Connected to X.X.X.X:443
SSL negotiation with XXXX.com
Connected to HTTPS on XXXX.com
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: XXXX.com
> User-Agent: PAN GlobalProtect
> X-Pad: 00000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 148
> 
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&server=XXXX.com&computer=XXX&user=XXX&passwd=XXX
Got HTTP response: HTTP/1.1 200 OK
Server: 
Date: Wed, 07 Jun 2017 22:58:45 GMT
Content-Type: text/html
Content-Length: 166
Connection: keep-alive
ETag: "XXXX"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
HTTP body length:  (166)
< 
< var respStatus = "Challenge";
< var respMsg = "Enter a response from your token with serial number XXXX.";
< thisForm.inputStr.value = "XXXX";
< 
Challenge: Enter a response from your token with serial number XXXX.
Enter a response from your token with serial number XXXX.
Username: XXX
Challenge: 
POST https://XXXX.com/ssl-vpn/login.esp
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: XXXX.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=XXXX
> X-Pad: 0000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 158
> 
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&server=XXXX.com&computer=XXX&inputStr=388e2&user=XXX&passwd=XXXX
Got HTTP response: HTTP/1.1 200 OK
Server: 
Date: Wed, 07 Jun 2017 22:58:57 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 614
Connection: keep-alive
ETag: "XXXX"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
Set-Cookie: PHPSESSID=XXXX; secure; HttpOnly
HTTP body length:  (614)
< <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>XXXX</argument><argument>XXXX</argument><argument>GP-Gateway-VPN-N</argument><argument>XXX</argument><argument>Auth-IDG-Radius2</argument><argument>vsys1</argument><argument>XXXX</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>tunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument></argument><argument></argument></application-desc></jnlp>
GlobalProtect login returned authentication-source=Auth-IDG-Radius2
POST https://XXXX.com/ssl-vpn/getconfig.esp
> POST /ssl-vpn/getconfig.esp HTTP/1.1
> Host: XXXX.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=XXXX
> X-Pad: 00000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 245
> 
> client-type=1&protocol-version=p1&app-version=3.0.1-10&os-version=linux-64&clientos=linux-64&hmac-algo=sha1%2cmd5&enc-algo=aes-128-cbc%2caes-256-cbc&authcookie=XXXX&portal=GP-Gateway-VPN-N&user=XXX&domain=XXXX
Got HTTP response: HTTP/1.1 200 OK
Server: 
Date: Wed, 07 Jun 2017 22:58:57 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1744
Connection: keep-alive
ETag: "XXXX"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
HTTP body length:  (1744)
< 
<   <response status="success">
<       <need-tunnel>yes</need-tunnel>
<       <ssl-tunnel-url>/ssl-tunnel-connect.sslvpn</ssl-tunnel-url>
<       <portal>GP-Gateway-VPN-N</portal>
<       <user>XXX</user>
<       <lifetime>2592000</lifetime>
<       <timeout>36000</timeout>
<       <disconnect-on-idle>28800</disconnect-on-idle>
<       <bw-c2s>1000</bw-c2s>
<       <bw-s2c>1000</bw-s2c>
<       <gw-address>X.X.X.X</gw-address>
<       <ip-address>192.168.207.112</ip-address>
<       <netmask>255.255.255.255</netmask>
<       <dns>
<           <member>10.1.4.28</member>
<           <member>10.1.4.29</member>
<       </dns> 
<       <wins>
<       </wins> 
<       <default-gateway>192.168.207.112</default-gateway>
<       <mtu>0</mtu>
<       <dns-suffix>
<           <member>XXXX.com</member>
<           <member>XXXX.com</member>
<       </dns-suffix> 
<       <no-direct-access-to-local-network>yes</no-direct-access-to-local-network>
<       <access-routes>
<           <member>0.0.0.0/0</member>
<           <member>10.1.4.28/32</member>
<           <member>10.1.4.29/32</member>
<       </access-routes> 
<       <ipsec>
<           <udp-port>4501</udp-port>
<           <ipsec-mode>esp-tunnel</ipsec-mode>
<           <enc-algo>aes-128-cbc</enc-algo>
<           <hmac-algo>sha1</hmac-algo>
<           <c2s-spi>XXXX</c2s-spi>
<           <s2c-spi>XXXX</s2c-spi>
<           <akey-s2c>
<               <bits>160</bits>
<               <val>XXXX</val>
<           </akey-s2c> 
<           <ekey-s2c>
<               <bits>128</bits>
<               <val>XXXX</val>
<           </ekey-s2c> 
<           <akey-c2s>
<               <bits>160</bits>
<               <val>XXXX</val>
<           </akey-c2s> 
<           <ekey-c2s>
<               <bits>128</bits>
<               <val>XXXX</val>
<           </ekey-c2s> 
<       </ipsec> 
<   </response>
TCP_INFO rcv mss 1452, snd mss 1452, adv mss 1460, pmtu 1500
No MTU received. Calculated 1410
Parameters for incoming ESP: SPI XXXX
ESP encryption type AES-128-CBC (RFC3602) key XXXX
ESP authentication type HMAC-SHA-1-96 (RFC2404) key XXXX
Parameters for outgoing ESP: SPI XXXX
ESP encryption type AES-128-CBC (RFC3602) key XXXX
ESP authentication type HMAC-SHA-1-96 (RFC2404) key XXXX
Send ESP probes
Connected as 192.168.207.112, using SSL
Received ESP packet of 84 bytes
ESP session established with server
Received ESP packet of 84 bytes
Received ESP packet of 84 bytes
ESP tunnel connected; exiting HTTPS mainloop.
No work to do; sleeping for 1000 ms...
Sent ESP packet of 100 bytes
No work to do; sleeping for 10000 ms...
Sent ESP packet of 100 bytes
Sent ESP packet of 100 bytes
Sent ESP packet of 100 bytes
Sent ESP packet of 100 bytes
No work to do; sleeping for 10000 ms...
Sent ESP packet of 100 bytes
No work to do; sleeping for 2000 ms...
Sent ESP packet of 116 bytes
No work to do; sleeping for 1000 ms...
^CSend ESP probes for DPD
POST https://XXXX.com/ssl-vpn/logout.esp
SSL negotiation with XXXX.com
Connected to HTTPS on XXXX.com
> POST /ssl-vpn/logout.esp HTTP/1.1
> Host: XXXX.com
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=XXXX
> X-Pad: 000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 113
> 
> computer=XXX&authcookie=XXXX&portal=GP-Gateway-VPN-N&user=XXX&domain=XXXX
Got HTTP response: HTTP/1.1 200 OK
Server: 
Date: Wed, 07 Jun 2017 22:59:57 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 161
Connection: keep-alive
ETag: "XXXX"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
HTTP body length:  (161)
< 
<   <response status="success">
<       <portal>GP-Gateway-VPN-N</portal>
<       <domain>XXXX</domain>
<       <user>XXX</user>
<       <computer>XXX</computer>
<   </response>
Logout successful
User cancelled (SIGINT); exiting.
<?xml version="1.0" encoding="UTF-8" ?>
<policy>
    <portal-name>GP-Portal-VPN</portal-name>
    <portal-config-version>4100</portal-config-version>
    <version>3.1.6-19                                                        </version>
    <client-role>global-protect-full</client-role>
    <agent-user-override-key>****</agent-user-override-key>
    <connect-method>on-demand</connect-method>
    <on-demand>yes</on-demand>
    <refresh-config>yes</refresh-config>
    <refresh-config-interval>1</refresh-config-interval>
    <authentication-modifier>
        <none/>
    </authentication-modifier>
    <authentication-override>
        <accept-cookie>no</accept-cookie>
        <generate-cookie>no</generate-cookie>
        <cookie-encrypt-decrypt-cert></cookie-encrypt-decrypt-cert>
    </authentication-override>
    <use-sso>no</use-sso>
    <gateways>
        <cutoff-time>5</cutoff-time>
        <external>
            <list>
                <entry name="XXXX.com">
                    <priority>0</priority>
                    <description>XXXX</description>
                </entry>
            </list>
        </external>
    </gateways>
    <agent-ui>
        <can-save-password>no</can-save-password>
        <passcode></passcode>
        <agent-user-override-timeout>0</agent-user-override-timeout>
        <max-agent-user-overrides>0</max-agent-user-overrides>
        <help-page>XXXX</help-page>
        <welcome-page>
            <display>no</display>
            <page></page>
        </welcome-page>
<agent-user-override>disabled</agent-user-override>
<enable-advanced-view>yes</enable-advanced-view>
<enable-do-not-display-this-welcome-page-again>yes</enable-do-not-display-this-welcome-page-again>
<can-change-portal>yes</can-change-portal>
<show-agent-icon>yes</show-agent-icon>
<password-expiry-message></password-expiry-message>

    </agent-ui>
    <hip-collection>
        <hip-report-interval>3600</hip-report-interval>
        <max-wait-time>20</max-wait-time>
        <collect-hip-data>yes</collect-hip-data>
        <default>
            <category>
                <member>host-info</member>
                <member>data-loss-prevention</member>
                <member>patch-management</member>
                <member>firewall</member>
                <member>antivirus</member>
                <member>anti-spyware</member>
                <member>disk-backup</member>
                <member>disk-encryption</member>
            </category>
        </default>
    </hip-collection>
    <agent-config>
    <save-user-credentials>2</save-user-credentials>
    <portal-2fa>no</portal-2fa>
    <internal-gateway-2fa>no</internal-gateway-2fa>
    <auto-discovery-external-gateway-2fa>no</auto-discovery-external-gateway-2fa>
    <manual-only-gateway-2fa>no</manual-only-gateway-2fa>
<client-upgrade>transparent</client-upgrade>
<logout-remove-sso>no</logout-remove-sso>
<krb-auth-fail-fallback>yes</krb-auth-fail-fallback>
<enforce-globalprotect>no</enforce-globalprotect>
<captive-portal-exception-timeout>0</captive-portal-exception-timeout>
<traffic-blocking-notification-delay>15</traffic-blocking-notification-delay>
<display-traffic-blocking-notification-msg>yes</display-traffic-blocking-notification-msg>
<traffic-blocking-notification-msg>XXXX</traffic-blocking-notification-msg>
<allow-traffic-blocking-notification-dismissal>yes</allow-traffic-blocking-notification-dismissal>
<display-captive-portal-detection-msg>no</display-captive-portal-detection-msg>
<captive-portal-detection-msg>XXXX</captive-portal-detection-msg>
<certificate-store-lookup>user-and-machine</certificate-store-lookup>
<scep-certificate-renewal-period>7</scep-certificate-renewal-period>
<ext-key-usage-oid-for-client-cert></ext-key-usage-oid-for-client-cert>
<retain-connection-smartcard-removal>yes</retain-connection-smartcard-removal>
<rediscover-network>yes</rediscover-network>
<resubmit-host-info>yes</resubmit-host-info>
<can-continue-if-portal-cert-invalid>yes</can-continue-if-portal-cert-invalid>
<user-switch-tunnel-rename-timeout>0</user-switch-tunnel-rename-timeout>
<pre-logon-tunnel-rename-timeout>-1</pre-logon-tunnel-rename-timeout>
<show-system-tray-notifications>no</show-system-tray-notifications>
<max-internal-gateway-connection-attempts>0</max-internal-gateway-connection-attempts>
<portal-timeout>30</portal-timeout>
<connect-timeout>60</connect-timeout>
<receive-timeout>30</receive-timeout>
<flush-dns>no</flush-dns>
<proxy-multiple-autodetect>no</proxy-multiple-autodetect>
<wsc-autodetect>yes</wsc-autodetect>
<ipv6-preferred>no</ipv6-preferred>
<prelogon-tunnel-rename-timeout>-1</prelogon-tunnel-rename-timeout>

    </agent-config>
<user-email>XXXX@XXXX</user-email>
<portal-userauthcookie>empty</portal-userauthcookie>
<portal-prelogonuserauthcookie>empty</portal-prelogonuserauthcookie>
<scep-cert-auth-cookie>XXXX</scep-cert-auth-cookie>
</policy>
dlenski commented 7 years ago

However, I encountered this same behavior on my official Windows machine, and the way I was able to resolve that was by updating my virus protection. I believe that this issue is caused by the server caring about HIP information.

It sounds like you are probably right :frowning_face:.

I haven't put much effort into handling the HIP data collection because I haven't needed it personally, and doing it successfully is going to require collecting (or mimicking) a whole bunch of information about the client, which may additionally vary from VPN to VPN in ways that I don't understand.

Patches or a standalone script to do to the HIP tap-dance would be welcome… unfortunately, I'm not sure when I'll have time to work on it myself.

videlanicolas commented 7 years ago

I have a script to report the HIP to the Gateway. It's simple and very straight forward. I'll fix it so that it takes the authentication cookie automatically.

Basically the works is like this: You connect to the portal and download the gateways, then you connect to any gateway you choose, you'll receive an authentication cookie which you must use to report your HIP. Then the HIP report is just an xml reporting the things you have in your pc. It just doesn't work, because you can report any HIP you want.

I'll post the script in a moment to the repo.

dlenski commented 7 years ago

I'll post the script in a moment to the repo.

This is freakin' amazing! Can't wait to try it out.

videlanicolas commented 7 years ago

I've added a pull request with a spoofer. PaloAlto says it's a feature so....

61

dlenski commented 7 years ago

@howey, does @videlanicolas's HIP-spoofer script work for you?

It's working for me and I'm going to start integrating it so that it'll be called automatically by openconnect.

See hipreport branch.

howey commented 7 years ago

I actually don't have access to this VPN anymore, so I'm not able to reproduce my original issue and I'm not in a position to verify a fix.

On Nov 1, 2017 1:27 AM, "Dan Lenski" notifications@github.com wrote:

@howey https://github.com/howey, does @videlanicolas https://github.com/videlanicolas's HIP-spoofer script work for you?

It's working for me and I'm going to start integrating it so that it'll be called automatically by openconnect.

See hipreport branch https://github.com/dlenski/openconnect/tree/hipreport.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/dlenski/openconnect/issues/36#issuecomment-341001643, or mute the thread https://github.com/notifications/unsubscribe-auth/AEjmKym3hPzEpZ_lCj69NJUbTKpCRiZ7ks5syA9fgaJpZM4NzZ-g .

videlanicolas commented 7 years ago

@dlenski thanks for that update on the script! Do you have a sample XML to try it out? I am working on a script to build a hip report of your own. I'll post it this week.

dlenski commented 7 years ago

@videlanicolas, that's great. I've been meaning to do the same. I've captured working HIP files from the Windows client logs as well as via mitmproxy.

Here's the basic sketch of the XML that my HIP-requiring GP VPN accepts. I can't figure out what the md5sum is the md5sum of, but the good news is that it doesn't seem to matter; the GP server doesn't validate it independently, but only uses it to check whether has changed from one request to the next of hipreportcheck.py for a given IP.

My VPN's HIP checker seems to be particularly stupid, in that it requires the host-ID to match a specific value, but doesn't validate much of anything else. The generate-time can be set to several years ago, and I can tell it a different md5sum every time, and it still works. Others may be pickier.

<hip-report name="hip-report">
    <md5-sum>$MD5SUM</md5-sum>
    <user-name>$USER</user-name> <!-- this is the user from the GP login.esp response -->
    <domain>$DOMAIN</domain><!-- this is the domain from the GP login.esp response -->
    <host-name>$LOCALHOSTNAME</host-name><!-- this is the hostname of the login request -->

    <!-- Host ID looks like an md5sum, with - inserted after the 8th, 12th, 16th, 24th characters.
         It is used by at least some VPNs to deny access to non-matching hosts-->
    <host-id>$HOSTID</host-id>

    <!-- These are the IP addresses of the PanGP tunnel network interface, returned in the getconfig.esp response -->
    <ip-address>$CLIENTIPV4ADDRESS</ip-address>
    <ipv6-address>$CLIENTIPV4ADDRESS</ipv6-address>

    <!-- Generate time has the strftime format of "%m/%d/%Y %H:%M:%S" -->
    <generate-time>$GENTIME</generate-time>

    <categories>
        <entry name="host-info">
            <client-version>4.0.2-19</client-version>
            <os>Microsoft Windows 10 Pro , 64-bit</os>
            <os-vendor>Microsoft</os-vendor>
            <domain>${DOMAIN}.internal</domain>
            <host-name>$LOCALHOSTNAME</host-name>
            <host-id>$HOSTID</host-id>
            <network-interface>
                <entry name="...">
                    <description>PANGP Virtual Ethernet Adapter</description>
                    <mac-address>aa-bb-cc-dd-ee-ff</mac-address>
                    <ip-address>
                        <entry name="$CLIENTIPV4ADDRESS"/>
                    </ip-address>
                    <ipv6-address>
                        <entry name="$CLIENTIPV6ADDRESS"/>
                    </ipv6-address>
                </entry>
                ...
            </network-interface>
        </entry>
        <entry name="antivirus">
            <list>
                <entry>
                    <ProductInfo>
                        <Prod name="McAfee VirusScan Enterprise" version="8.8.0.1804" defver="8682.0" prodType="1" engver="5900.7806" osType="1" vendor="McAfee, Inc." dateday="12" dateyear="2017" datemon="10">
                        </Prod>
                        <real-time-protection>yes</real-time-protection>
                        <!-- Same format as generate time -->
                        <last-full-scan-time>$TIMESTAMP</last-full-scan-time>
                    </ProductInfo>
                </entry>
                <entry>
                    <ProductInfo>
                        <Prod name="Windows Defender" version="4.11.15063.332" defver="1.245.683.0" prodType="1" engver="1.1.13804.0" osType="1" vendor="Microsoft Corp." dateday="8" dateyear="2017" datemon="6">
                        </Prod>
                        <real-time-protection>no</real-time-protection>
                        <last-full-scan-time>n/a</last-full-scan-time>
                    </ProductInfo>
                </entry>
            </list>
        </entry>
        <entry name="anti-spyware">
            <list>
                <entry>
                    <ProductInfo>
                        <Prod name="McAfee VirusScan Enterprise" version="8.8.0.1804" defver="8682.0" prodType="2" engver="5900.7806" osType="1" vendor="McAfee, Inc." dateday="12" dateyear="2017" datemon="10">
                        </Prod>
                        <real-time-protection>yes</real-time-protection>
                        <last-full-scan-time>$TIMESTAMP/last-full-scan-time>
                    </ProductInfo>
                </entry>
                <entry>
                    <ProductInfo>
                        <Prod name="Windows Defender" version="4.11.15063.332" defver="1.245.683.0" prodType="2" engver="1.1.13804.0" osType="1" vendor="Microsoft Corp." dateday="8" dateyear="2017" datemon="6">
                        </Prod>
                        <real-time-protection>no</real-time-protection>
                        <last-full-scan-time>n/a</last-full-scan-time>
                    </ProductInfo>
                </entry>
            </list>
        </entry>
        <entry name="disk-backup">
            <list>
                <entry>
                    <ProductInfo>
                        <Prod name="Windows Backup and Restore" version="10.0.15063.0" vendor="Microsoft Corp.">
                        </Prod>
                        <last-backup-time>n/a</last-backup-time>
                    </ProductInfo>
                </entry>
            </list>
        </entry>
        <entry name="disk-encryption">
            <list>
                <entry>
                    <ProductInfo>
                        <Prod name="Windows Drive Encryption" version="10.0.15063.0" vendor="Microsoft Corp.">
                        </Prod>
                        <drives>
                            <entry>
                                <drive-name>C:</drive-name>
                                <enc-state>full</enc-state>
                            </entry>
                        </drives>
                    </ProductInfo>
                </entry>
            </list>
        </entry>
        <entry name="firewall">
            <list>
                <entry>
                    <ProductInfo>
                        <Prod name="Microsoft Windows Firewall" version="10.0" vendor="Microsoft Corp.">
                        </Prod>
                        <is-enabled>yes</is-enabled>
                    </ProductInfo>
                </entry>
            </list>
        </entry>
        <entry name="patch-management">
            <list>
                <entry>
                    <ProductInfo>
                        <Prod name="McAfee ePolicy Orchestrator Agent" version="5.0.5.658" vendor="McAfee, Inc.">
                        </Prod>
                        <is-enabled>yes</is-enabled>
                    </ProductInfo>
                </entry>
                <entry>
                    <ProductInfo>
                        <Prod name="Microsoft Windows Update Agent" version="10.0.15063.0" vendor="Microsoft Corp.">
                        </Prod>
                        <is-enabled>yes</is-enabled>
                    </ProductInfo>
                </entry>
            </list>
            <missing-patches>
                <entry>
                    <title>AMD - Other hardware - PCI bus</title>
                    <description>AMD Other hardware software update released in February, 2015</description>
                    <product>Windows 10 and later drivers</product>
                    <vendor>Microsoft Corporation</vendor>
                    <info-url>http://sysdev.microsoft.com/support/default.aspx</info-url>
                    <kb-article-id/>
                    <security-bulletin-id/>
                    <severity>0</severity>
                    <category>4</category>
                    <is-installed>no</is-installed>
                </entry>
                ...
            </missing-patches>
        </entry>
        <entry name="data-loss-prevention">
            <list/>
        </entry>
    </categories>
</hip-report>
luciavmf commented 5 years ago

Hi! I'm having the same issue, how did you fix it? Thanks

dlenski commented 5 years ago

@luciavmf, please read the documentation on HIP report submission using OpenConnect v8.*, and +submit a new issue+ with detailed logs if you are then still having a problem with OpenConnect 8.0+.