不能登录 返回 HTTP 401 about docker-ocserv HOT 8 OPEN

What kind of client are you using?

from docker-ocserv.

I got the same error on both clients:

• Android: https://play.google.com/store/apps/details?id=app.openconnect
• MacOS (openconnect v7.08, installed via brew install openconnect)

from docker-ocserv.

Can you try the AnyConnect client instead of OpenConnect?

In the config file, it was set to compliant with Cisco AnyConnect.

from docker-ocserv.

I tried Windows AnyConnect Client 3.1.13015 and failed with different errors:

• when group All[全局代理 All Proxy] is choosen, user and password are entered, nothing happened and Message History showed:

  [2018/1/15 下午 11:32:10] Contacting 192.168.1.101:8443.
  [2018/1/15 下午 11:32:11] Please enter your username.
  [2018/1/15 下午 11:32:13] Please enter your username.
  [2018/1/15 下午 11:32:14] User credentials entered.
  [2018/1/15 下午 11:32:14] Please enter your password.
  [2018/1/15 下午 11:32:15] User credentials entered.
  [2018/1/15 下午 11:32:16] Please enter your password.
  [2018/1/15 下午 11:32:16] User credentials prompt cancelled.
  

• when group Route[仅海外代理 Exclude CN] is choosen, user and password are entered, first alert prompted:

  The secure gateway has rejected the connection attempt. A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.

  Then the second alert prompted:

  AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.

  And Message History showed:

  [2018/1/15 下午 11:34:03] Contacting 192.168.1.101:8443.
  [2018/1/15 下午 11:34:04] Please enter your username.
  [2018/1/15 下午 11:34:07] User credentials entered.
  [2018/1/15 下午 11:34:07] Please enter your password.
  [2018/1/15 下午 11:34:09] User credentials entered.
  [2018/1/15 下午 11:34:09] Establishing VPN session...
  [2018/1/15 下午 11:34:09] Checking for profile updates...
  [2018/1/15 下午 11:34:09] Checking for product updates...
  [2018/1/15 下午 11:34:12] Checking for customization updates...
  [2018/1/15 下午 11:34:12] Performing any required updates...
  [2018/1/15 下午 11:34:12] Establishing VPN session...
  [2018/1/15 下午 11:34:12] Establishing VPN - Initiating connection...
  [2018/1/15 下午 11:36:52] Connection attempt has failed.
  [2018/1/15 下午 11:37:36] VPN session ended.
  

Update:

Changing the starting command to ocserv -c /etc/ocserv/ocserv.conf -f -d1, I got the debug log from docker container:

ocserv[1]: main[test]: 172.17.0.1:37895 new user session
ocserv[1]: main: tun.c:552: Can't open /dev/net/tun: No such device
ocserv[1]: main[test]: 172.17.0.1:37895 failed authentication attempt for user 'test'
ocserv[71]: worker: 172.17.0.1 failed cookie authentication attempt
ocserv[22]: sec-mod: temporarily closing session for test (session: JlG+Lh)
ocserv[1]: main[test]: 172.17.0.1:37895 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv[72]: worker:  could not disable system calls, kernel might not support seccomp
ocserv[1]: main: 172.17.0.1:37896 user disconnected (reason: unspecified, rx: 0, tx: 0)

This is probably problem of my kernel.

Update 2:

My suspicion above should be valid. Changed to use docker daemon on a Mac, successfully launched with the same docker run command.

@ly0 You should try launch you container with the debug flag and check the log message to see if there's any hint, e.g:

docker run --name ocserv --privileged -p 443:443 -p 443:443/udp -d tommylau/ocserv ocserv -c /etc/ocserv/ocserv.conf -f -d1
# try connect to trigger error
docker logs ocserv

from docker-ocserv.

tun is needed as far as I know to use ocserv, I'm using Ubuntu as the host.

And, till the last time I know, AnyConnect can only connect to port 443 (SSL) other than any other ports.

@lacek Can AnyConnect client on Mac connect to the server other than port 443 now?

from docker-ocserv.

@ly0
Do u have other devices connected to the server at the same time?
Disconnect them and try again.
There might be problems w/ multiple clients.

from docker-ocserv.

Hello Tommy, I also meet this question. My VPN client is Cisco anyconnect 4.9 and I list the operation steps below:

1. docker run
2. connect to the server, for example, use group [All projects]
3. if use correct username/password, the server will reject the connection request as "Connection attempt has failed"
4. Follow point3, if using the wrong username/password, the server will notice me the username or password is incorrect
5. Switch the group to [Exclude CN], the correct username/password will work fine
6. Switch back to [Proxy All], the connection also works smoothly

From my view, ocserv can identify the user information from ocpasswd file. Due to the fewer log messages in docker, I can't identify more information about this case. Do you have any idea?

from docker-ocserv.

@swanduron You can mount the config file to your host, so that you can modify the config file to output more useful information.

And you could also remove group settings as a test.

Personally, I prefer using "Certificate" method other than username/password method.

from docker-ocserv.