camouflage mode not working with Cisco Secure Client 5
Hello! Thanks for you awesome project! Unfortunately, I'm having troubles with camouflage feature and Cisco Secure Client
Description of problem:
Cisco Secure Client (AnyConnect Downloader module) does not connecting when camouflage option is enabled in the ocserv.conf
Version of ocserv used:
1.2.1
Client used:
AnyConnect macOS/Windows 5.0.04032 (aka Cisco Secure Client)
Distributor of ocserv
docker image evilbox/ocserv:1.2.1 (based on alpine:3.18.2)
How reproducible:
- Enable camouflage = true in config
- Set camouflage_secret = "1xyz"
- Uncomment camouflage_realm = "Restricted Content"
- Connect to ocserv server use Cisco Secure Client
Actual results:
Cisco client establishes a connection to ocserv
Expected results:
Cisco client does not establishes a connection to ocserv and show "Cisco Secure Client failed to establish a connection to the specified secure gateway." error
In ocserv logs I saw this:
ocserv[16289]: worker[user777]: 111.111.111.111 Detected Cisco AnyConnect
ocserv[16289]: worker[user777]: 111.111.111.111 User-agent: 'AnyConnect Windows 5.0.04032'
ocserv[16289]: worker[user777]: 111.111.111.111 Detected Cisco AnyConnect
ocserv[1]: main: added 1 points (total 2) for IP '111.111.111.111' to ban list
ocserv[16290]: main: map worker serving remote address 111.111.111.111:63239 to secmod instance 0
note: vhost:default: setting 'radius' as primary authentication method
ocserv[14]: sec-mod: received request from pid 16290 and uid 0
ocserv[14]: sec-mod: cmd [size=38] sm: sign hash
note: setting 'radius' as supplemental config option
ocserv[16290]: worker: 111.111.111.111 accepted connection
ocserv[14]: sec-mod: received request from pid 16290 and uid 65534
ocserv[14]: sec-mod: cmd [size=38] sm: sign hash
ocserv[16290]: worker: 111.111.111.111 TLS handshake completed
ocserv[16290]: worker: 111.111.111.111 sending message 'session info' to main
ocserv[1]: main:111.111.111.111:63239 main received worker's message 'session info' of 69 bytes
ocserv[16290]: worker: 111.111.111.111 User-agent: 'AnyConnect Downloader Windows 5.0.04032'
ocserv[16290]: worker: 111.111.111.111 Detected Cisco AnyConnect
ocserv[16290]: worker: 111.111.111.111 Secret not found in URL, declining...
P.S. If you need a anyconnect distrib, tell me