openconnect stoken support not working properly with our form

Kevin Cernekee cernekee at gmail.com
Sun Nov 12 09:16:10 PST 2017 

On Sun, Aug 20, 2017 at 10:29 AM, Andy Wang <dopey at moonteeth.com> wrote:
> I've been trying to figure out why openconnect's --token-mode support
> isn't working with my works VPN and I finalliy dug through the source
> and html forms enough to understand I think.  (my C is extremely rusty
> as it's been well over 10 years since i've actively coded in it) It
> looks like from the function:
> static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo,
>                                   struct oc_auth_form *form,
>                                   struct oc_form_opt *opt)
> {
>         if (vpninfo->token_mode == OC_TOKEN_MODE_NONE ||
>             vpninfo->token_bypassed)
>                 return -EINVAL;
>
>         if (strcmp(form->auth_id, "frmDefender") &&
>             strcmp(form->auth_id, "frmNextToken") &&
>             strcmp(form->auth_id, "ftmTotpToken"))
>                 return -EINVAL;
>
>         return can_gen_tokencode(vpninfo, form, opt);
> }
>
> That a token is only used if the form name is frmDefender.
> frmNextToken or frmTotpToken.  Our first login form that expects
> username/rsa token is frmLogin.

I worked on the original stoken integration, but have only ever used
it with Cisco VPNs.  It looks like the Juniper logic was updated in
this commit:

commit 1ff34cb9689fbaf57decac537df1e32e799bb9c7
Author: Janne Juntunen <janne.juntunen at hermanit.fi>
Date:   Tue Nov 29 22:37:22 2016 +0000

    Add support for Google Authenticator 2fa on Juniper VPN

    We resently changed our Juniper VPN from SMS 2fa to use Google
    Authenticator instead. Before it worked perfectly with "openconnect
    --juniper" switch, but after the change all we got was:

    Unknown form ID 'frmTotpToken'
    and a dump of the form.

    I spent some time debugging the issue, and managed to write a very
    simple fix for it.

    Signed-off-by: Janne Juntunen <janne.juntunen at hermanit.fi>
    Signed-off-by: David Woodhouse <dwmw2 at infradead.org>

Maybe the Google Authenticator form (OC_TOKEN_MODE_TOTP) needs to be
handled differently from the RSA SecurID form (OC_TOKEN_MODE_STOKEN).

More information about the openconnect-devel mailing list