search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
280 stars 119 forks source link

Error on connection. Help needed to start investigating #56

Closed zoltan-fedor closed 3 years ago

zoltan-fedor commented 3 years ago

First of all, thanks for the great wrapper. I am using Cisco AnyConnect successfully, but having troubles with the docker network, so trying to use openconnect.

OpenConnect-sso: 0.7.3 OS: Linux Mint 20.1 Kernel: 5.4.0-72

As I have a working Cisco AnyConnect profile, I tried to connect using:

$ openconnect-sso
[info     ] Loading profiles from file     [openconnect_sso.profile] path=XXXX-Profile.xml
Traceback (most recent call last):
  File "/home/user/.local/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 119, in _run
    profiles = get_profiles(Path(args.profile_path))
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/profile.py", line 47, in get_profiles
    profiles.extend(_get_profiles_from_one_file(p))
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/profile.py", line 29, in _get_profiles_from_one_file
    user_group=entry.UserGroup,
  File "src/lxml/objectify.pyx", line 231, in lxml.objectify.ObjectifiedElement.__getattr__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: {http://schemas.xmlsoap.org/encoding/}UserGroup

I have also tried connecting as anew:

$ openconnect-sso --server yyyyyyyyy.vpn.xxxxxxxx.com -l debug
Using selector: EpollSelector
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=yyyyyyyyy.vpn.xxxxxxxx.com name=
Starting new HTTPS connection (1): yyyyyyyyy.vpn.xxxxxxxx.com:443
https://yyyyyyyyy.vpn.xxxxxxxx.com:443 "GET / HTTP/1.1" 302 0
Starting new HTTPS connection (1): abc1.vpn.xxxxxxxx.com:443
https://abc1.vpn.xxxxxxxx.com:443 "GET / HTTP/1.1" 200 None
[debug    ] Auth target url                [openconnect_sso.authenticator] url=https://abc1.vpn.xxxxxxxx.com/
[debug    ] Sending auth init request      [openconnect_sso.authenticator] content=b'<?xml version=\'1.0\' encoding=\'UTF-8\'?>\n<config-auth client="vpn" type="init" aggregate-auth-version="2">\n  <version who="vpn">4.7.00136</version>\n  <device-id>linux-64</device-id>\n  <group-select></group-select>\n  <group-access>https://abc1.vpn.xxxxxxxx.com/</group-access>\n  <capabilities>\n    <auth-method>single-sign-on-v2</auth-method>\n  </capabilities>\n</config-auth>\n'
Starting new HTTPS connection (1): abc1.vpn.xxxxxxxx.com:443
https://abc1.vpn.xxxxxxxx.com:443 "POST / HTTP/1.1" 200 None
[debug    ] Auth init response received    [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">\n<client-cert-request></client-cert-request>\n</config-auth>\n'
Traceback (most recent call last):
  File "/home/user/.local/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/app.py", line 139, in _run
    auth_response = await authenticate_to(
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 22, in authenticate
    response = self._start_authentication()
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 67, in _start_authentication
    return parse_response(response)
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 140, in parse_response
    return parse_auth_request_response(xml)
  File "/home/user/.local/pipx/venvs/openconnect-sso/lib/python3.8/site-packages/openconnect_sso/authenticator.py", line 146, in parse_auth_request_response
    assert xml.auth.get("id") == "main"
  File "src/lxml/objectify.pyx", line 231, in lxml.objectify.ObjectifiedElement.__getattr__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: auth

Any pointers for troubleshooting?

vlaci commented 3 years ago

The server responds with the following xml:

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
  <client-cert-request/>
</config-auth>

It seams that the server expects a client certificate authentication. openconnect-sso cannot handle this authentication scheme. I don't have any information how this client-cert-request should be handled.

zoltan-fedor commented 3 years ago

Thanks, yes, I thought that that might be the case. Thanks