How should `openconnect` allow more complex configuration of AnyConnect XML payloads?
The problem
Due to the configuration of the VPN server (anyconnect
) that I connect to, I must provide extra information in the initial XML payload. I can't provide this information with openconnect
directly (there are no options, etc) so I've resorted to building openconnect
manually with a hacky patch that lets me set the XML via an environment variable and inject it at the right time.
This is what the XML that the VPN server expects:
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init" aggregate-auth-version="2">
<version who="vpn">$ANYCONNECT_VERSION</version>
<device-id computer-name="$COMPUTER_HOSTNAME" device-type="$DEVICE_MODEL" platform-version="$DEVICE_OS_VERSION"
unique-id="$UNIQUE_ID"
unique-id-global="$UNIQUE_ID_GLOBAL">$DEVICE_ID</device-id>
<mac-address-list>
<mac-address>$MAC_ADDRESS</mac-address>
</mac-address-list>
<capabilities>
<auth-method>single-sign-on-v2</auth-method>
<auth-method>single-sign-on-external-browser</auth-method>
</capabilities>
<group-access>$VPN_URL</group-access>
</config-auth>
Most of these values can be fetched with various tools such as hostname
, dmidecode
, system_profiler
(macOS), sw_vers
(macOS), etc.
A few of them are specific to the Cisco tools, such as:
-
$ANYCONNECT_VERSION
: fetched viadartcli -v
-
$UNIQUE_ID_GLOBAL
: fetch viadartcli -u
-
$UNIQUE_ID
: fetched viadartcli -ul
In case anyone is unaware, dartcli
is a CLI tool shipped with Cisco Secure Client, usually found at:
- macOS:
/Applications/Cisco/Cisco Secure Client - DART.app/Contents/Resources/dartcli
- windows:
C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\dartcli.exe
openconnect
What this means for What approach should openconnect
take in letting user's specify these values?
- Should we have a CLI flag
--anyconnect-xml
which sets the entire payload? - Should we provide CLI flags for each? such as
--unique-id
,--unique-id-global
,--computer-name
,--platform-version
, etc
What other solutions can we make so users like myself don't have to resort to manually patching and building openconnect
? I myself am leaning towards providing a CLI flag to set the entire payload, since it's more future-proof (if new attributes are added, etc).