openconnect stoken support not working properly with our form

Andy Wang dopey at
Sun Aug 20 10:29:36 PDT 2017

I've been trying to figure out why openconnect's --token-mode support
isn't working with my works VPN and I finalliy dug through the source
and html forms enough to understand I think.  (my C is extremely rusty
as it's been well over 10 years since i've actively coded in it) It
looks like from the function:
static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo,
                                  struct oc_auth_form *form,
                                  struct oc_form_opt *opt)
        if (vpninfo->token_mode == OC_TOKEN_MODE_NONE ||
                return -EINVAL;

        if (strcmp(form->auth_id, "frmDefender") &&
            strcmp(form->auth_id, "frmNextToken") &&
            strcmp(form->auth_id, "ftmTotpToken"))
                return -EINVAL;

        return can_gen_tokencode(vpninfo, form, opt);

That a token is only used if the form name is frmDefender.
frmNextToken or frmTotpToken.  Our first login form that expects
username/rsa token is frmLogin.

Is my work's form unusual and incorrect or is this just a limitation
with how openconnect tries to determine the difference in the password
field and token form?

Any thoughts on ways to make this work?  I'm using an expect script to
log in to our vpn which works well, but I though it'd be nice to use
the built-in token capabilities (and if it does work I could even use
NetworkManager's gui).  If frmLogin is wrong, any suggestions on where
to find this in juniper documentation ? I tried to google the publicly
available docs but couldn't find any specifics.  Even if their form is
wrong, I can pretty much guarantee that they have no interesting in
changing it since it's only us "weird" linux users that might be
having this problem :)

In case it makes a difference I'm using the fedora 26 package:


More information about the openconnect-devel mailing list