Cisco MFA
William Bell
william.bell at frog.za.net
Mon Mar 22 18:13:27 GMT 2021
Hi
It seems that the push/pull errors have gone.
In the windows client:
Click AnyConnect
Warns about the certificate > connect anyway
Opens Browser and asks for account > connects but sometimes sends a SMS
with a number to type in.
Says connection is established.
I do not have a secondary password. I think that some session
certificate is needed from the browser.
I tried typing in my stuff backwards and it still does not work.
The vpn worked fine before the MFA upgrade.
Thanks
On 2021/03/22 19:36, Daniel Lenski wrote:
> On Mon, Mar 22, 2021 at 9:55 AM William Bell <william.bell at frog.za.net> wrote:
>> $ openconnect --version
>> OpenConnect version v8.10-1
>> Using GnuTLS 3.6.15. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
>> Supported protocols: anyconnect (default), nc, gp, pulse
>>
>> $ uname --all
>> Linux williambell 5.8.0-45-generic #51-Ubuntu SMP Fri Feb 19 13:24:51 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
>>
>> (added hidden stuff and invalid IP address, the certificate sha is valid but expired.)
>>
>> $ sudo openconnect -vvv --servercert pin-sha256:hiddensha= --authgroup=HIDDEN_MFA --user=hiddenUserName 956.888.747.602
> Thanks. I'm not seeing any of the "Error in the push/pull function" in
> your log here… are those no longer occurring?
>
> It looks like your VPN is just repeatedly showing you the
> username/password/secondary-password form because you're not entering
> the expected values.
>
> I notice that both fields are labeled "Password: " in your case…
> 1. Do the labels *differ* in the official AnyConnect client? (run
> `openconnect --dump-http-traffic` to show the raw XML, which may help
> us figure out where the labels come from)
> 2. Is it possible that your VPN has the password and
> secondary-password fields *reversed*, thus causing you to enter the
> values backwards?
> 3. We've seen a case of password-field-reversal before
> (https://gitlab.com/openconnect/openconnect/-/issues/35#note_168906231),
> but we don't know how to autodetect it.
>
> Dan
More information about the openconnect-devel
mailing list