Cisco MFA

Mon Mar 22 17:36:36 GMT 2021

On Mon, Mar 22, 2021 at 9:55 AM William Bell <william.bell at frog.za.net> wrote:
>
> $ openconnect --version
> OpenConnect version v8.10-1
> Using GnuTLS 3.6.15. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
> Supported protocols: anyconnect (default), nc, gp, pulse
>
> $ uname --all
> Linux williambell 5.8.0-45-generic #51-Ubuntu SMP Fri Feb 19 13:24:51 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
>
> (added hidden stuff and invalid IP address, the certificate sha is valid but expired.)
>
> $ sudo openconnect -vvv --servercert pin-sha256:hiddensha= --authgroup=HIDDEN_MFA --user=hiddenUserName 956.888.747.602

Thanks. I'm not seeing any of the "Error in the push/pull function" in
your log here… are those no longer occurring?

It looks like your VPN is just repeatedly showing you the
username/password/secondary-password form because you're not entering
the expected values.

I notice that both fields are labeled "Password: " in your case…
1. Do the labels *differ* in the official AnyConnect client? (run
`openconnect --dump-http-traffic` to show the raw XML, which may help
us figure out where the labels come from)
2. Is it possible that your VPN has the password and
secondary-password fields *reversed*, thus causing you to enter the
values backwards?
3. We've seen a case of password-field-reversal before
(https://gitlab.com/openconnect/openconnect/-/issues/35#note_168906231),
but we don't know how to autodetect it.

Dan