Cisco MFA

William Bell william.bell at frog.za.net
Tue Mar 23 05:27:39 GMT 2021 

On 2021/03/23 00:00, Daniel Lenski wrote:
> On Mon, Mar 22, 2021 at 1:38 PM William Bell <william.bell at frog.za.net> wrote:
>> When I try --os=win
>>
>> If forces me to the HIDDEN_NONMFA group, which I used to use and works.
>> I no longer have permissions to use that group.
>>
>> I have also included the windows client's output below.
> Lemme get this straight…
>
> - If you use OpenConnect to spoof the AnyConnect-for-Windows client,
> the server forces you to use the HIDDEN_NONMFA group, which you don't
> have access to?
> - If you use the AnyConnect-for-Windows client, it allows you to
> connect correctly?
Yes, only if I make os=win
>
> What's the difference between the two? How are the requests from
> OpenConnect-spoofing-AnyConnect distinguished from AnyConnect? (This
> question *might* require a MITM log to answer.)
I will see if I can get this log, it may take some time, maybe the 
weekend only.
>
> It also seems to me that whoever set your server up just didn't test
> it with OpenConnect, or just didn't test it with Linux clients. It's
> hard to tell whether this was intentional (to prevent use of anything
> other than the official AnyConnect-for-Windows client) or just the
> result of misconfiguration/inadequate testing. In my experience, the
> latter is much more common. You probably have a good idea.

They either did not have the money to do it, I asked for the Linux 
client and they said they did not have one, windows only.

The version we are using seems no longer available at Cisco.

>
> In any case, even if your administrators ARE TRYING to prevent you
> from connecting with a non-standard client, it's always possible to
> circumvent this… just have to figure out how to emulate the behavior
> of the official client in a more indistinguishable way.

Could it be that the client is reading the credentials from a cookie 
that the browser temporary creates or something from the browser by some 
other means. All browsers seem to work. So to get this working, at some 
point openconnect should open/start the default browser and "do the same 
thing"


Thanks for your help so far.

>
> Dan

More information about the openconnect-devel mailing list