XML Post not working on 5.01

Kevin Cernekee cernekee at gmail.com
Sat Jun 15 20:16:47 EDT 2013


On Thu, Jun 13, 2013 at 12:14 PM, Joel Johnson <mrjoel at lixil.net> wrote:
> For the XML POST processing, it looks like it's not properly (fully?)
> processing the --authgroup parameter to use the selected group (as long as
> it's returned in the list as being available). Instead of blindly using the
> tunnel-group and group-alias offered initially, it should use what is
> specified. I'm not familiar with the details and differences between the
> <group-select> and <tunnel-group>, but this looks quite suspicious.

<tunnel-group> and <group-alias> are in the <opaque> section.  I'm not
sure it's such a good idea for the client to change anything in there.
 The Cisco client seems to leave it alone.

What I see when I feed your server responses to the official
AnyConnect client is that when the user selects e.g. GROUPC_VPN from
the dropdown, the Cisco client sends a "change group" message to the
server:

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init">
<version who="vpn">3.1.00495</version>
<device-id>linux</device-id>
<group-select>GROUPC_VPN</group-select>
</config-auth>

Then it redraws the login dialog when it gets the response back.  The
new server response tells the client which group to show as selected.

I couldn't deduce your server's hostname so I can't tell for sure, but
my guess is that your server rewrites the <opaque> contents based on
the newly selected group.  It might also be configurable to send a
completely different set of form fields for different group
selections.

So maybe the <group-select> option only tells the server "send me a
new form with GROUPC_VPN selected," and if you submit your credentials
immediately, it takes the group ID from the <opaque> section instead
of the <group-select> value.  Does this jibe with the behavior you saw
(i.e. would you see "Login failed" if you tried to log on to
GROUPA_VPN)?

One thing that (lib)openconnect could do to work around this is to
prompt the user for just the group first, then after he hits submit,
prompt for the remaining form fields (skipping the group dropdown).
Are you willing to be the guinea pig?



More information about the openconnect-devel mailing list