Cisco MFA

Daniel Lenski dlenski at gmail.com
Mon Mar 22 19:28:15 GMT 2021 

On Mon, Mar 22, 2021 at 11:13 AM William Bell <william.bell at frog.za.net> wrote:
>
> Hi
>
> It seems that the push/pull errors have gone.

It sounds like something is being changed on the server side.

>
>
> In the windows client:
>
> Click AnyConnect
>
> Warns about the certificate > connect anyway
>
> Opens Browser and asks for account > connects but sometimes sends a SMS
> with a number to type in.
>
> Says connection is established.
>
>
> I do not have a secondary password.

Okay, so OpenConnect is (somehow) incorrectly parsing the forms sent
by the server. Either that or the server is sending different forms to
OpenConnect and AnyConnect.

Try either/both of these…
- Pretend to be running Cisco AnyConnect for Windows (openconnect
--os=win --useragent 'Cisco AnyConnect VPN Agent for Windows
4.7.03052')
- Add `--dump-http-traffic` to the command line to show

> I think that some session certificate is needed from the browser.

Do you mean a TLS client certificate? If that's needed, then you'll
certainly need to specify it with OpenConnect as well. See the `-c`,
`-k` options in the manual
(https://openconnect.gitlab.io/openconnect/manual.html).

Cisco servers normally give a clear error message when they require a
client cert, but none is specified… though it wouldn't surprise me if
there's some way to (mis)configure them not to show this.

Dan


> I think that some session
> certificate is needed from the browser.



>
> I tried typing in my stuff backwards and it still does not work.
>
> The vpn worked fine before the MFA upgrade.
>
> Thanks
>
>
>
>
> On 2021/03/22 19:36, Daniel Lenski wrote:
> > On Mon, Mar 22, 2021 at 9:55 AM William Bell <william.bell at frog.za.net> wrote:
> >> $ openconnect --version
> >> OpenConnect version v8.10-1
> >> Using GnuTLS 3.6.15. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
> >> Supported protocols: anyconnect (default), nc, gp, pulse
> >>
> >> $ uname --all
> >> Linux williambell 5.8.0-45-generic #51-Ubuntu SMP Fri Feb 19 13:24:51 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
> >>
> >> (added hidden stuff and invalid IP address, the certificate sha is valid but expired.)
> >>
> >> $ sudo openconnect -vvv --servercert pin-sha256:hiddensha= --authgroup=HIDDEN_MFA --user=hiddenUserName 956.888.747.602
> > Thanks. I'm not seeing any of the "Error in the push/pull function" in
> > your log here… are those no longer occurring?
> >
> > It looks like your VPN is just repeatedly showing you the
> > username/password/secondary-password form because you're not entering
> > the expected values.
> >
> > I notice that both fields are labeled "Password: " in your case…
> > 1. Do the labels *differ* in the official AnyConnect client? (run
> > `openconnect --dump-http-traffic` to show the raw XML, which may help
> > us figure out where the labels come from)
> > 2. Is it possible that your VPN has the password and
> > secondary-password fields *reversed*, thus causing you to enter the
> > values backwards?
> > 3. We've seen a case of password-field-reversal before
> > (https://gitlab.com/openconnect/openconnect/-/issues/35#note_168906231),
> > but we don't know how to autodetect it.
> >
> > Dan

More information about the openconnect-devel mailing list