Using OpenConnect to connect to AnyConnect server with Socket Filter requirement

[Savely Krasovsky]

Hello! My employeer uses VMWare Workspace ONE as MDM and deploys Cisco
AnyConnect with Socket Filter as requirement. I want to connect to this
endpoint using OpenConnect, but with no success.

What I did:
- I've exported MDM certificate from KeyChain and tried it with
OpenConnect both as client certificate and mca-certificate.
- I've tried to MITM it, but after first XML POST AnyConnect throws an
error and stops connecting. Probably has some anti-MITM technics.
- I've tried to uninstall Socket Filter to test AnyConnect without it.
It successfully handshakes, but fails at "system configuration" step
(tries to setup Socket Filter probably and fails).

On other devices with AnyConnect both AnyConnect and OpenConnect behave
similarly: they repeatedly ask me to enter username and password but
everytime throw "Login failed.". No errors about certificates or kinda.

Dump of first XML POST:

<?xml version: "1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="init" aggregate-auth-version="2">
<version who="vpn">4.10.05111</version>
<device-id computer-name="REDACTED" device-type="MacBookPro18,1"
platform-version="13.3.0" unique-id="REDACTED" unique-id-
global="REDACTED">mac-intel</device-id>
<mac-address-list>
<mac-address>REDACTED</mac-address></mac-address-list>
<group-access>https://REDACTED</group-access>
<capabilities>
<auth-method>multiple-cert</auth-method>
<auth-method>single-sign-on</auth-method>
<auth-method>single-sign-on-v2</auth-method>
<auth-method>single-sign-on-external-browser</auth-
method></capabilities>
</config-auth>

In my opinion (I'm newbie to it) it could be that both AnyConnect and
OpenConnect send different mac-address and device-id attributes. Also
maybe it send another mca-certificate, not MDM one (but I didn't find
any other related certificate in system KeyStore).

Probably I could try to trick AnyConnect MITM detection, but don't know
from what to start. Writing it to get some hints and help.