XML response has no "auth" node

Will Crisp crispjw at gmail.com
Mon Apr 17 20:15:44 PDT 2017


Follow-up on this note:  Through some more trial & error I was able to
succesfully connect to my work VPN!!!  The key to this was identifying
the exact certificate and key I needed to provide to openconnect to do
the proper authentication with my work's VPN server.  One thing that
helped immensely is the scripts provided here:

https://github.com/JonathonReinhart/linux-cac-setup/

Which guided me through selecting first a hardware token
(CRISP.WILL.J.xxxxxxxxxx) and then a choice of certificates to go with
that hardware token.  The certificate the vpn server wants is the "PIV
Email Signature Certificate".  Armed with this knowledge, I was then
able to identify the exact pkcs11 URLs that I needed to pass to
openconnect and later to NetworkManager-openconnect in order to
successfully establish a VPN connection.  Maybe this will help someone
else out there reading this someday.  Thank you to the devs who
created this software, so glad I don't have to use a Windows client
anymore!!

-Will


On Mon, Apr 17, 2017 at 7:10 AM, Will Crisp <crispjw at gmail.com> wrote:
> I'm getting the subject error message, "XML response has no "auth"
> node", when attempting to connect to my work's VPN concentrator.  What
> follows is output of my connection attempt.  I can establish SSL
> connection, but I can't get further than that.  I will attempt to
> connect using Windows (later today hopefully) and compare results, but
> hoping someone on this list has some ideas what else I can try to
> connect from Linux.
>
> Thanks,
> -Will
>
> $ sudo openconnect -c
> 'pkcs11:token=CRISP.WILL.J.xxxxxxxxxx;id=%00%01;object=PIV%20ID%20Certificate'
> --dump-http-traffic --verbose --os win vpn.amrdec.army.mil
> POST https://vpn.amrdec.army.mil/
> Attempting to connect to server 199.209.145.10:443
> Using PKCS#11 certificate
> pkcs11:token=CRISP.WILL.J.xxxxxxxxxx;id=%00%01;object=PIV%20ID%20Certificate;object-type=cert
> PIN required for CRISP.WILL.J.xxxxxxxxxx
> Enter PIN:
> Using PKCS#11 key
> pkcs11:token=CRISP.WILL.J.xxxxxxxxxx;id=%00%01;object=PIV%20ID%20Certificate;object-type=private
> Using client certificate 'CRISP.WILL.J.xxxxxxxxxx'
> Adding supporting CA 'DOD CA-31'
> SSL negotiation with vpn.amrdec.army.mil
> Connected to HTTPS on vpn.amrdec.army.mil
>> POST / HTTP/1.1
>> Host: vpn.amrdec.army.mil
>> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7
>> Accept: */*
>> Accept-Encoding: identity
>> X-Transcend-Version: 1
>> X-Aggregate-Auth: 1
>> X-AnyConnect-Platform: win
>> X-Support-HTTP-Auth: true
>> X-Pad: 000000000000000000000000000000000000000000
>> Content-Type: application/x-www-form-urlencoded
>> Content-Length: 214
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init"><version who="vpn">v7.06-1.el7</version><device-id>win</device-id><group-access>https://vpn.amrdec.army.mil</group-access></config-auth>
> Got HTTP response: HTTP/1.1 200 OK
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> Cache-Control: no-cache
> Pragma: no-cache
> Connection: Keep-Alive
> Date: Mon, 17 Apr 2017 02:35:28 GMT
> X-Frame-Options: SAMEORIGIN
> X-Aggregate-Auth: 1
> HTTP body chunked (-2)
> < <?xml version="1.0" encoding="UTF-8"?>
> < <config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
> < <client-cert-request></client-cert-request>
> < </config-auth>
> POST https://vpn.amrdec.army.mil/
> SSL negotiation with vpn.amrdec.army.mil
> Connected to HTTPS on vpn.amrdec.army.mil
>> POST / HTTP/1.1
>> Host: vpn.amrdec.army.mil
>> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7
>> Accept: */*
>> Accept-Encoding: identity
>> X-Transcend-Version: 1
>> X-Aggregate-Auth: 1
>> X-AnyConnect-Platform: win
>> X-Support-HTTP-Auth: true
>> X-Pad: 000000000000000000000000000000000000000000
>> Content-Type: application/x-www-form-urlencoded
>> Content-Length: 214
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <config-auth client="vpn" type="init"><version who="vpn">v7.06-1.el7</version><device-id>win</device-id><group-access>https://vpn.amrdec.army.mil</group-access></config-auth>
> Got HTTP response: HTTP/1.1 200 OK
> Content-Type: text/html; charset=utf-8
> Transfer-Encoding: chunked
> Cache-Control: no-cache
> Pragma: no-cache
> Connection: Keep-Alive
> Date: Mon, 17 Apr 2017 02:35:30 GMT
> X-Frame-Options: SAMEORIGIN
> X-Aggregate-Auth: 1
> HTTP body chunked (-2)
> < <?xml version="1.0" encoding="UTF-8"?>
> < <config-auth client="vpn" type="complete" aggregate-auth-version="2">
> < <error id="15" param1="" param2="">Login failed.</error>
> < </config-auth>
> XML response has no "auth" node
> GET https://vpn.amrdec.army.mil/
> Attempting to connect to server 199.209.145.10:443
> SSL negotiation with vpn.amrdec.army.mil
> Connected to HTTPS on vpn.amrdec.army.mil
>> GET / HTTP/1.1
>> Host: vpn.amrdec.army.mil
>> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7
>> Accept: */*
>> Accept-Encoding: identity
>> X-Transcend-Version: 1
>> X-Support-HTTP-Auth: true
>>
> Got HTTP response: HTTP/1.0 302 Object Moved
> Content-Type: text/html; charset=utf-8
> Content-Length: 0
> Cache-Control: no-cache
> Pragma: no-cache
> Connection: Close
> Date: Mon, 17 Apr 2017 02:36:22 GMT
> X-Frame-Options: SAMEORIGIN
> Location: /+webvpn+/index.html
> Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
> HTTP body length:  (0)
> GET https://vpn.amrdec.army.mil/+webvpn+/index.html
> SSL negotiation with vpn.amrdec.army.mil
> Connected to HTTPS on vpn.amrdec.army.mil
>> GET /+webvpn+/index.html HTTP/1.1
>> Host: vpn.amrdec.army.mil
>> User-Agent: Open AnyConnect VPN Agent v7.06-1.el7
>> Accept: */*
>> Accept-Encoding: identity
>> X-Transcend-Version: 1
>> X-Support-HTTP-Auth: true
>>
> Got HTTP response: HTTP/1.1 200 OK
> Transfer-Encoding: chunked
> Content-Type: text/xml
> Cache-Control: max-age=0
> Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
> Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
> Set-Cookie: webvpnlogin=1; secure
> X-Frame-Options: SAMEORIGIN
> X-Transcend-Version: 1
> HTTP body chunked (-2)
> < <?xml version="1.0" encoding="UTF-8"?>
> < <!--
> <   Copyright (c) 2013 by Cisco Systems, Inc.
> <   All rights reserved.
> <  -->
> < <auth id="main">
> < <title>SSL VPN Service</title>
> < <ca status="disabled" href="/+CSCOCA+/login.html" />
> <
> <
> <
> < <banner></banner>
> < <message>Please enter your username and password.</message>
> <
> <
> < <error id="15" param1="" param2="">Login failed.</error>
> < <form method="post" action="/+webvpn+/index.html">
> <
> <
> <
> <
> <
> <
> <
> < <input type="submit" name="Login" value="Login" />
> < <input type="reset" name="Clear" value="Clear" />
> <
> <
> < </form>
> < </auth>
> <
> Please enter your username and password.
> Login failed.
> Failed to obtain WebVPN cookie



More information about the openconnect-devel mailing list