-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for client authentication. #8
Conversation
This is a nice update. I thought the original implementation was a bit confusing too. To use the TLS options you needed create a cert/key file with the same name but different extensions. Due to never using it, I just left it alone. Specifying individual files (and actually respecting them) seems like a much needed improvement. I appreciate the PR! I'll get this tested and if all goes well, I'll merge it. |
I apologize for the delay. Everything looks great. Landing. |
Thanks. |
This will work only if you can export the cert&key, but would it be possible to use a PKCS#11 token for authentication? Commonly, smartcards are used for authentication with certs, and you can't MITM that (or at least I don't think you can) |
Are you saying that you need the PKCS#11 token in order to get to the hostscan phase? I've never had the chance to use smartcard authentication. Hostscan takes place prior to any authentication so you should still be able to make use of the bypass. Once you have the |
Yes, that's what I'm saying exactly. You need to use client cert authentication before you get anywhere, no other authentication is done after that. |
It sounds like that environment is using the ISE posture modules rather than hostscan. See this issue where someone is describing something similar. I'd love to get my hands on an environment that has this setup so I could try to break it. Unfortunately I don't have any way to develop a solution. In theory it should still be possible. |
No, this really is hostscan. |
That's a fun fact. I had no idea that it was possible to make hostscan occur after authentication. Have you tried exporting the non-exportable cert using mimikatz? I still don't have a smartcard to test with but if all you need is that cert then mimikatz should do the trick. |
You can't export a cert from smartcard (to be exact, you can extract the cert but you can't ever extract the private key). So no, that won't help. With certificate, you get authentication in a reply to the first client request, and then this: Btw hostscan can also be periodic, in fact the official AnyConnect client repeats the scan and re-posts the results 60 seconds after the connection is already done. |
Sadly it sounds like I'd need a smartcard before I could make this compatible with your setup. If I were trying to figure out how to support this I'd likely reference the OpenConnect code base and see how they are handling smartcard auth and then write something similar into the bypass. I wish I could be more help in this use case. |
Implements TLS client authentication with the VPN backend.