Cannot enter 2FA code

[Daniel Lenski]

On Tue, Sep 13, 2022 at 3:43 AM Ian Braithwaite <idb at tagvision.dk> wrote:
>
> On 12/09/2022 19:18, Daniel Lenski wrote:
> > On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite <idb at tagvision.dk> wrote:
> >> 1. Ian, does your server also fall back to the non-XML-based
> >> authentication, like Henry Luis's report and like
> >> https://gitlab.com/openconnect/openconnect/-/issues/489?
>
> Yes it does (redirect, GET /+webvpn+/index.html).
>
> >> 2. Does spoofing an official Cisco Windows client change anything?
> >> (openconnect --os=win --useragent 'Cisco AnyConnect VPN Agent for
> >> Windows 4.9.0195')?)
>
> Very much - OpenConnect successfully connects, without the redirect.

Excellent. Quick follow-up: does it require *both* of those arguments
to connect successfully? Or is simply `--os=win` sufficient?

> The server response is completely different - the hidden fields are gone
> and it has a normal password field that OpenConnect handles just fine:

Yay, Cisco. 🤦🏻‍♂️🤦🏻‍♂️🤦🏻‍♂️

> >> My best guess about the root cause here is that either it's a result
> >> of a server being misconfigured/confused due to a lack of testing with
> >> non-official clients, OR that it's an intentional obfuscation of the
> >> authentication forms with the intention of confusing non-official
> >> clients.
>
> Or even both :-).

Agreed. "Never attribute to malice that which is adequately explained
by incompetence"… but in this case there may indeed be a bit of both.

Thank you, this was a great job digging into the mailing list for
related past issues, and clears up some mysteries.

Perhaps we should update our Cisco-specific docs at
https://www.infradead.org/openconnect/anyconnect.html (source is at
https://gitlab.com/openconnect/openconnect/blob/master/www/anyconnect.xml)
to emphasize the need to spoof official Cisco clients to workaround
authentication issues in some cases. Merge requests would be welcome
:-)

Dan