Author: Antonio Borneo
Date: Sun Mar 10 16:01:50 2013
New Revision: 527
Log:
cisco: handle t.attributes.type=0x0015
Issues with XAUTH and 2-factor authentication (Username/Password and
SecureID) and how I got mine working.
On Cisco 1941 with hybrid xauth.
I was having issues connecting to my work's Cisco VPN.
I would see the message:
> Enter a response from your token with serial number XXXXXXXXXX.
followed by:
> vpnc: xauth packet unsupported: (ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED)(13)
without any prompting. Hard failure. This was happening after the
username/password prompt, during authentication phase. With --debug 99
set, I saw what the problem was:
PARSING PAYLOAD type: 0e (ISAKMP_PAYLOAD_MODECFG_ATTR)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0053
modecfg.type: 01 (ISAKMP_MODECFG_CFG_REQUEST)
[...]
t.attributes.type: 0015 (unknown)
t.attributes.u.attr_16: 0002
DONE PARSING PAYLOAD type: 0e (ISAKMP_PAYLOAD_MODECFG_ATTR)
t.attributes.type 0x0015? Surely that has a defined value somewhere! I
googled high-and-low, I tried the vpnc-nortel branch because it had an
enum value for that, I did everything I could think of but I could not
get past this phase until I finally said fuck it and made the
following change (to echo the attribute and value back to the server)
And it worked. What is attribute type 21(0x15)? Does anyone have any
insight? Apparently my job's VPN was pleased, and currently that's
good enough for me.
Dan Motles
This attribute 0x0015 is already used in Nortel branch
= ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN.
The patch in Nortel branch to handle this case is a little more complex.
Antonio Borneo
Signed-off-by: Daniel Motles <seltom.dan@gmail.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Modified:
branches/vpnc-nortel/isakmp.h
branches/vpnc-nortel/vpnc.c
trunk/isakmp.h
trunk/vpnc.c
Modified: branches/vpnc-nortel/isakmp.h
==============================================================================
--- branches/vpnc-nortel/isakmp.h (original)
+++ branches/vpnc-nortel/isakmp.h Sun Mar 10 16:01:50 2013
@@ -456,7 +456,7 @@
ISAKMP_XAUTH_02_ATTRIB_CHALLENGE,
ISAKMP_XAUTH_02_ATTRIB_DOMAIN,
ISAKMP_XAUTH_02_ATTRIB_STATUS,
- ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN,
+ ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN, /* ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 */
ISAKMP_XAUTH_02_ATTRIB_ANSWER, /* TYPE .. ANSWER is excluded from dump */
ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC = 0x4000,
Modified: branches/vpnc-nortel/vpnc.c
==============================================================================
--- branches/vpnc-nortel/vpnc.c (original)
+++ branches/vpnc-nortel/vpnc.c Sun Mar 10 16:01:50 2013
@@ -2374,7 +2374,7 @@
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_02_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
- case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN:
+ case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN: /* ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 */
case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
case ISAKMP_MODECFG_ATTRIB_NORTEL_UNKNOWN_4011:
case ISAKMP_MODECFG_ATTRIB_NORTEL_CLIENT_ID:
@@ -2451,6 +2451,14 @@
na->u.lots.length);
break;
}
+ case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN:
+ /* For Cisco ASA this is an unknown attribute */
+ /* ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 */
+ if (opt_vendor == VENDOR_CISCO) {
+ na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
+ break;
+ }
+ /* For Nortel, fallback in next case */
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_02_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
@@ -2458,7 +2466,6 @@
case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
case ISAKMP_XAUTH_02_ATTRIB_PASSCODE:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
- case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN:
if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
reject = ISAKMP_N_AUTHENTICATION_FAILED;
phase2_fatal(s, "noninteractive can't reuse password", reject);
Modified: trunk/isakmp.h
==============================================================================
--- trunk/isakmp.h (original)
+++ trunk/isakmp.h Sun Mar 10 16:01:50 2013
@@ -418,6 +418,7 @@
ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_SUBNET,
ISAKMP_MODECFG_ATTRIB_SUPPORTED_ATTRIBUTES,
ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_SUBNET,
+ ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 = 0x0015,
ISAKMP_XAUTH_06_ATTRIB_TYPE = 0x4088,
ISAKMP_XAUTH_06_ATTRIB_USER_NAME,
ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD,
Modified: trunk/vpnc.c
==============================================================================
--- trunk/vpnc.c (original)
+++ trunk/vpnc.c Sun Mar 10 16:01:50 2013
@@ -2236,6 +2236,7 @@
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
+ case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
break;
case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
@@ -2266,6 +2267,7 @@
switch (ap->type) {
case ISAKMP_XAUTH_06_ATTRIB_TYPE:
+ case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
{
na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
break;
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Date: Sun Mar 10 16:01:50 2013
New Revision: 527
Log:
cisco: handle t.attributes.type=0x0015
Issues with XAUTH and 2-factor authentication (Username/Password and
SecureID) and how I got mine working.
On Cisco 1941 with hybrid xauth.
I was having issues connecting to my work's Cisco VPN.
I would see the message:
> Enter a response from your token with serial number XXXXXXXXXX.
followed by:
> vpnc: xauth packet unsupported: (ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED)(13)
without any prompting. Hard failure. This was happening after the
username/password prompt, during authentication phase. With --debug 99
set, I saw what the problem was:
PARSING PAYLOAD type: 0e (ISAKMP_PAYLOAD_MODECFG_ATTR)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0053
modecfg.type: 01 (ISAKMP_MODECFG_CFG_REQUEST)
[...]
t.attributes.type: 0015 (unknown)
t.attributes.u.attr_16: 0002
DONE PARSING PAYLOAD type: 0e (ISAKMP_PAYLOAD_MODECFG_ATTR)
t.attributes.type 0x0015? Surely that has a defined value somewhere! I
googled high-and-low, I tried the vpnc-nortel branch because it had an
enum value for that, I did everything I could think of but I could not
get past this phase until I finally said fuck it and made the
following change (to echo the attribute and value back to the server)
And it worked. What is attribute type 21(0x15)? Does anyone have any
insight? Apparently my job's VPN was pleased, and currently that's
good enough for me.
Dan Motles
This attribute 0x0015 is already used in Nortel branch
= ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN.
The patch in Nortel branch to handle this case is a little more complex.
Antonio Borneo
Signed-off-by: Daniel Motles <seltom.dan@gmail.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Modified:
branches/vpnc-nortel/isakmp.h
branches/vpnc-nortel/vpnc.c
trunk/isakmp.h
trunk/vpnc.c
Modified: branches/vpnc-nortel/isakmp.h
==============================================================================
--- branches/vpnc-nortel/isakmp.h (original)
+++ branches/vpnc-nortel/isakmp.h Sun Mar 10 16:01:50 2013
@@ -456,7 +456,7 @@
ISAKMP_XAUTH_02_ATTRIB_CHALLENGE,
ISAKMP_XAUTH_02_ATTRIB_DOMAIN,
ISAKMP_XAUTH_02_ATTRIB_STATUS,
- ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN,
+ ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN, /* ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 */
ISAKMP_XAUTH_02_ATTRIB_ANSWER, /* TYPE .. ANSWER is excluded from dump */
ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC = 0x4000,
Modified: branches/vpnc-nortel/vpnc.c
==============================================================================
--- branches/vpnc-nortel/vpnc.c (original)
+++ branches/vpnc-nortel/vpnc.c Sun Mar 10 16:01:50 2013
@@ -2374,7 +2374,7 @@
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_02_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
- case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN:
+ case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN: /* ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 */
case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
case ISAKMP_MODECFG_ATTRIB_NORTEL_UNKNOWN_4011:
case ISAKMP_MODECFG_ATTRIB_NORTEL_CLIENT_ID:
@@ -2451,6 +2451,14 @@
na->u.lots.length);
break;
}
+ case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN:
+ /* For Cisco ASA this is an unknown attribute */
+ /* ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 */
+ if (opt_vendor == VENDOR_CISCO) {
+ na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
+ break;
+ }
+ /* For Nortel, fallback in next case */
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_02_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD:
@@ -2458,7 +2466,6 @@
case ISAKMP_XAUTH_06_ATTRIB_PASSCODE:
case ISAKMP_XAUTH_02_ATTRIB_PASSCODE:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
- case ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN:
if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
reject = ISAKMP_N_AUTHENTICATION_FAILED;
phase2_fatal(s, "noninteractive can't reuse password", reject);
Modified: trunk/isakmp.h
==============================================================================
--- trunk/isakmp.h (original)
+++ trunk/isakmp.h Sun Mar 10 16:01:50 2013
@@ -418,6 +418,7 @@
ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_SUBNET,
ISAKMP_MODECFG_ATTRIB_SUPPORTED_ATTRIBUTES,
ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_SUBNET,
+ ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015 = 0x0015,
ISAKMP_XAUTH_06_ATTRIB_TYPE = 0x4088,
ISAKMP_XAUTH_06_ATTRIB_USER_NAME,
ISAKMP_XAUTH_06_ATTRIB_USER_PASSWORD,
Modified: trunk/vpnc.c
==============================================================================
--- trunk/vpnc.c (original)
+++ trunk/vpnc.c Sun Mar 10 16:01:50 2013
@@ -2236,6 +2236,7 @@
case ISAKMP_XAUTH_06_ATTRIB_ANSWER:
case ISAKMP_XAUTH_06_ATTRIB_NEXT_PIN:
case ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR:
+ case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
break;
case ISAKMP_XAUTH_06_ATTRIB_MESSAGE:
if (opt_debug || seen_answer || config[CONFIG_XAUTH_INTERACTIVE]) {
@@ -2266,6 +2267,7 @@
switch (ap->type) {
case ISAKMP_XAUTH_06_ATTRIB_TYPE:
+ case ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN_0X0015:
{
na = new_isakmp_attribute_16(ap->type, ap->u.attr_16, NULL);
break;
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/