Cisco MFA

[Daniel Lenski]

On Mon, Mar 22, 2021 at 10:27 PM William Bell <william.bell at frog.za.net> wrote:
> > It also seems to me that whoever set your server up just didn't test
> > it with OpenConnect, or just didn't test it with Linux clients. It's
> > hard to tell whether this was intentional (to prevent use of anything
> > other than the official AnyConnect-for-Windows client) or just the
> > result of misconfiguration/inadequate testing. In my experience, the
> > latter is much more common. You probably have a good idea.
>
> They either did not have the money to do it, I asked for the Linux
> client and they said they did not have one, windows only.
>
> The version we are using seems no longer available at Cisco.
>
> >
> > In any case, even if your administrators ARE TRYING to prevent you
> > from connecting with a non-standard client, it's always possible to
> > circumvent this… just have to figure out how to emulate the behavior
> > of the official client in a more indistinguishable way.
>
> Could it be that the client is reading the credentials from a cookie
> that the browser temporary creates or something from the browser by some
> other means. All browsers seem to work. So to get this working, at some
> point openconnect should open/start the default browser and "do the same
> thing"

This sounds like your VPN may be using Cisco SSO/SAML. See
https://gitlab.com/openconnect/openconnect/-/merge_requests/75 for
work-in-progress to support this.

Easy way to tell: run with `--dump-http-traffic` and see if the
initial auth form contains tags like `<sso-`.

Dan