Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working
seltom.dan at gmail
Mar 3, 2013, 9:28 AM
Post #1 of 8 (5027 views)
Permalink
Greetings Everyone,

I was having issues connecting to my work's Cisco VPN. Everyone was
saying "Windows/Mac only bro" and "I've never seen it work on linux",
but I would not be deterred.

I would see the message:

> Enter a response from your token with serial number XXXXXXXXXX.

followed by:

> vpnc: xauth packet unsupported: (ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED)(13)

without any prompting. Hard failure. This was happening after the
username/password prompt, during authentication phase. With --debug 99
set, I saw what the problem was:

PARSING PAYLOAD type: 0e (ISAKMP_PAYLOAD_MODECFG_ATTR)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0053
modecfg.type: 01 (ISAKMP_MODECFG_CFG_REQUEST)
[...]
t.attributes.type: 0015 (unknown)
t.attributes.u.attr_16: 0002
DONE PARSING PAYLOAD type: 0e (ISAKMP_PAYLOAD_MODECFG_ATTR)

t.attributes.type 0x0015? Surely that has a defined value somewhere! I
googled high-and-low, I tried the vpnc-nortel branch because it had an
enum value for that, I did everything I could think of but I could not
get past this phase until I finally said fuck it and made the
following change (to echo the attribute and value back to the server):

svn diff
Index: vpnc.c
===================================================================
--- vpnc.c (revision 517)
+++ vpnc.c (working copy)
@@ -2236,6 +2236,7 @@
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
+ case 21:
break;
case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
@@ -2266,6 +2267,7 @@

switch (ap->type) {
case ISAKMP_XAUTH_06_ATTRIB_TYPE:
+ case 21:
{
na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
break;

And it worked. What is attribute type 21(0x15)? Does anyone have any
insight? Apparently my job's VPN was pleased, and currently that's
good enough for me.

Dan Motles
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
borneo.antonio at gmail
Mar 3, 2013, 10:35 PM
Post #2 of 8 (4924 views)
Permalink
On Mon, Mar 4, 2013 at 1:28 AM, Daniel Motles <seltom.dan@gmail.com> wrote:
> Greetings Everyone,
>
> I was having issues connecting to my work's Cisco VPN. Everyone was
> saying "Windows/Mac only bro" and "I've never seen it work on linux",
> but I would not be deterred.
... snip...
> ... until I finally said fuck it and made the
> following change (to echo the attribute and value back to the server):

Hi Daniel,
good to know you got it working!

> And it worked. What is attribute type 21(0x15)? Does anyone have any
> insight? Apparently my job's VPN was pleased, and currently that's
> good enough for me.

I check quickly, but I also cannot find an explanation for that value.
Let me say that either Cisco, Nortel and now Avaya use undocumented
values to either pass special value and to acknowledge that user is
using their client SW.
Only by reverse engineering the handshake we can identify such values.

I'm in favour to commit your patch, if nobody has major concerns.

I would just suggest to replace the value 0x15 with a macro in isakmp.h
Something like
ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015
should be good, until a better interpretation of its purpose can be found.

Could you provide additional info about the Cisco concentrator?
Just to add it in the commit comment.

Best Regards,
Antonio
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
seltom.dan at gmail
Mar 4, 2013, 6:55 AM
Post #3 of 8 (4939 views)
Permalink
I'm not very knowledgeable on the terminology, but we use a cisco 1941
with hybrid xauth. I was told by my guys that it's the hybrid xauth
system that is likely causing that, it's some cisco proprietary
scheme, and its basically 'a mix of group and user vpn connections -
the group lets you attempt to sign in as yourself to the group's
context'. I have no idea what that means, but there you have it.

On Mon, Mar 4, 2013 at 1:35 AM, Antonio Borneo <borneo.antonio@gmail.com> wrote:
> On Mon, Mar 4, 2013 at 1:28 AM, Daniel Motles <seltom.dan@gmail.com> wrote:
>> Greetings Everyone,
>>
>> I was having issues connecting to my work's Cisco VPN. Everyone was
>> saying "Windows/Mac only bro" and "I've never seen it work on linux",
>> but I would not be deterred.
> ... snip...
>> ... until I finally said fuck it and made the
>> following change (to echo the attribute and value back to the server):
>
> Hi Daniel,
> good to know you got it working!
>
>> And it worked. What is attribute type 21(0x15)? Does anyone have any
>> insight? Apparently my job's VPN was pleased, and currently that's
>> good enough for me.
>
> I check quickly, but I also cannot find an explanation for that value.
> Let me say that either Cisco, Nortel and now Avaya use undocumented
> values to either pass special value and to acknowledge that user is
> using their client SW.
> Only by reverse engineering the handshake we can identify such values.
>
> I'm in favour to commit your patch, if nobody has major concerns.
>
> I would just suggest to replace the value 0x15 with a macro in isakmp.h
> Something like
> ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015
> should be good, until a better interpretation of its purpose can be found.
>
> Could you provide additional info about the Cisco concentrator?
> Just to add it in the commit comment.
>
> Best Regards,
> Antonio
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
borneo.antonio at gmail
Mar 10, 2013, 8:05 AM
Post #4 of 8 (4916 views)
Permalink
On Mon, Mar 4, 2013 at 10:55 PM, Daniel Motles <seltom.dan@gmail.com> wrote:
> I'm not very knowledgeable on the terminology, but we use a cisco 1941
> with hybrid xauth. I was told by my guys that it's the hybrid xauth
> system that is likely causing that, it's some cisco proprietary
> scheme, and its basically 'a mix of group and user vpn connections -
> the group lets you attempt to sign in as yourself to the group's
> context'. I have no idea what that means, but there you have it.

Hi Daniel,

I have commit your patch to SVN repository.
I have also included a modified version in the Nortel branch. The
target is to have Nortel branch supporting "also" Cisco.

Could you please check if now the Nortel branch works in your case?
There should be no need to modify your config file or command line,
since default case is "--vendor cisco".

Best Regards,
Antonio
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
fabian.jaeger at chungwasoft
Mar 10, 2013, 8:13 AM
Post #5 of 8 (4938 views)
Permalink
Am 10.03.2013 um 16:05 schrieb Antonio Borneo <borneo.antonio@gmail.com>:

> On Mon, Mar 4, 2013 at 10:55 PM, Daniel Motles <seltom.dan@gmail.com> wrote:
>> I'm not very knowledgeable on the terminology, but we use a cisco 1941
>> with hybrid xauth. I was told by my guys that it's the hybrid xauth
>> system that is likely causing that, it's some cisco proprietary
>> scheme, and its basically 'a mix of group and user vpn connections -
>> the group lets you attempt to sign in as yourself to the group's
>> context'. I have no idea what that means, but there you have it.
>
> Hi Daniel,
>
> I have commit your patch to SVN repository.
> I have also included a modified version in the Nortel branch. The
> target is to have Nortel branch supporting "also" Cisco.

I support the idea of having one version of vpnc supporting both, Cisco and Nortel connections.
But for me it seems then also reasonable to have this universal version as the trunk. What do you think?

Best regards,
Fabian

Attached Files:

Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
borneo.antonio at gmail
Mar 10, 2013, 8:34 AM
Post #6 of 8 (4921 views)
Permalink
On Sun, Mar 10, 2013 at 11:13 PM, "[ChungwaSoft] Fabian Jäger"
<fabian.jaeger@chungwasoft.com> wrote:
> I support the idea of having one version of vpnc supporting both, Cisco and Nortel connections.
> But for me it seems then also reasonable to have this universal version as the trunk. What do you think?

Hi Fabian,
this was also my target.

But I do not have access to Cisco systems to actively test it, so I
just kept a low profile in the Nortel branch.
I should install a Cisco simulator. Never had time to check for it.

By the way, I'm going to loose my access to Nortel servers soon, so
not sure I could continue this activity.

Antonio
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
fabian.jaeger at chungwasoft
Mar 10, 2013, 8:42 AM
Post #7 of 8 (4936 views)
Permalink
ChungwaSoft | Fabian Jäger | Founder & Software Engineer | main projects - Shimo, GeoTagr
contact | fabian.jaeger@chungwasoft.com | aim - fabian.jaeger@mac.com | twitter - dotGuru

Am 10.03.2013 um 16:34 schrieb Antonio Borneo <borneo.antonio@gmail.com>:

> But I do not have access to Cisco systems to actively test it, so I
> just kept a low profile in the Nortel branch.
> I should install a Cisco simulator. Never had time to check for it.
>
> By the way, I'm going to loose my access to Nortel servers soon, so
> not sure I could continue this activity.

I also haven't looked into Cisco VPN simulators. Is there anybody with some experience in this field?
Does similar software exist for Nortel, Avaya ... VPN gateways? Then we could do testing based on such simulators.

Best regards,
Fabian

Attached Files:

Re: Issues with XAUTH and 2-factor authentication (Username/Password and SecureID) and how I got mine working [ In reply to ]
borneo.antonio at gmail
Mar 10, 2013, 8:50 AM
Post #8 of 8 (4918 views)
Permalink
On Sun, Mar 10, 2013 at 11:42 PM, "[ChungwaSoft] Fabian Jäger"
<fabian.jaeger@chungwasoft.com> wrote:
> I also haven't looked into Cisco VPN simulators. Is there anybody with some experience in this field?

I kept these two links, but never went deep in
http://7200emu.hacki.at/index.php
http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator

> Does similar software exist for Nortel, Avaya ... VPN gateways? Then we could do testing based on such simulators.

I'm not aware of any of them

Antonio
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal