Last active
December 12, 2023 23:52
-
-
Save p120ph37/51f1354837cf7962b10ce1e5066ab14e to your computer and use it in GitHub Desktop.
A simple implementation of a CSD-Wrapper as required for OpenConnect to comply with Cisco AnyConnect "hostscan" policies.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| unset URL TICKET STUB GROUP CERTHASH LANGSELEN | |
| shift | |
| while [ "$1" ]; do | |
| if [ "$1" == "-ticket" ]; then shift; TICKET=$1; fi | |
| if [ "$1" == "-stub" ]; then shift; STUB=$1; fi | |
| if [ "$1" == "-group" ]; then shift; GROUP=$1; fi | |
| if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi | |
| if [ "$1" == "-url" ]; then shift; URL=$1; fi | |
| if [ "$1" == "-langselen" ]; then shift; LANGSELEN=$1; fi | |
| shift | |
| done | |
| case "$(uname -s)" in | |
| Darwin) | |
| MD5="md5" | |
| ARCH="darwin_i386" | |
| ;; | |
| Linux) | |
| MD5="md5 --tag" | |
| [ "$(uname -m)" == "x86_64" ] && ARCH="linux_x64" || ARCH="linux_i386" | |
| ;; | |
| esac | |
| HOSTSCAN_DIR="$HOME/.cisco/hostscan" | |
| mkdir -p $HOSTSCAN_DIR/{bin,lib} | |
| FILE_URL="${URL//\"/}/sdesktop/hostscan/$ARCH" | |
| echo "Manifest URL: $FILE_URL/manifest" | |
| curl -s "$FILE_URL/manifest" | while read line; do | |
| file="${line#*(}" file="${file%)*}" sum="${line##* }" | |
| [[ "$file" =~ \.(dylib|so|dat)$ ]] && filetype=lib || filetype=bin | |
| cd "$HOSTSCAN_DIR/$filetype" | |
| if [ -f "$file" ] && [ "$($MD5 $file)" == "$line" ]; then | |
| echo "$file is up to date." | |
| else | |
| echo "downloading $file" | |
| if curl -Ifs "$FILE_URL/$file.gz" > /dev/null; then | |
| curl -s "$FILE_URL/$file.gz" | gunzip > "$file" | |
| else | |
| curl -s "$FILE_URL/$file" > "$file" | |
| fi | |
| fi | |
| [ "$filetype" == "bin" ] && chmod 755 "$file" | |
| done | |
| # Launch "cstub" | |
| cd $HOSTSCAN_DIR/bin | |
| #ARGS="-log debug -ticket $TICKET -stub $STUB -group $GROUP -url $URL -certhash $CERTHASH" | |
| ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -url $URL -certhash $CERTHASH" | |
| echo "Launching: $(pwd)/cstub $ARGS" | |
| ./cstub $ARGS |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(as I only used the script and read the comments after it was working ...)
csd-wrapper.sh
#md5 is not a command in a Redhat derived Linux.
Linux)
MD5="md5 --tag"
should be
Linux)
MD5="md5sum --tag"
I had to locate cstub already in the /opt/cisco directory, copy to my local user.
For completeness:
sudo openconnect --user=<vpn_user> --csd-user= --csd-wrapper=/home//.cisco/csd-wrapper.sh
In my corp system the "Refreshing +CSCOE+/sdesktop/wait.html after 1 second...." takes about 50 seconds, so patience ...
Found my way here after my Corp connect stopped working 2 weeks ago (CISCO GUI Policy error) then I dropped to cmdline to use openconnect, more feedback, searching ... got to the end with this GIST.
Thanks.