Re: OpenConnect stopped working with TOTP where AnyConnect still works…

[David Raison]

Hi Daniel,


tl;dr: Thanks, setting the user agent to AnyConnect made it work.


On 25/05/2023 23:53, Daniel Lenski wrote:
> Your log shows that you're getting non-XMLPOST responses from the
> server. This is an olllllllllllllllld authentication mode of Cisco
> servers, which is vestigial and broken on most VPNs, because the
> admins don't know about it, and don't test against it.

I checked, just to make sure, that that wasn't my fault. The snippet I 
pasted was actually from a request where I had explicitly used the 
--no-xmlpost flag because I had read about it in another thread and 
wanted to consider every possibility.

But I just ran it again without that flag, and the result (response) is 
exactly the same.


> Quite likely, you've run into issue #544 (~= "newer Cisco servers
> require `--useragent=AnyConnect`, otherwise they get stuck in the
> usually non-functional non-XMLPOST auth path").
>
> See more details in
> https://gitlab.com/openconnect/openconnect/-/issues/544#note_1222936179,
> and let us know if adding `--useragent=AnyConnect` addresses the
> problem.

Yes, that seems to have been exactly it. Setting the useragent to 
AnyConnect makes it work again. The response I get now is a completely 
different one and I can also see that openconnect is no longer making 
requests using query parameters but posting XML bodies instead.


> This is a pretty maddening issue. It's almost as if Cisco
> intentionally changed their servers’ responses to make authentication
> fail in a particularly misleading way for users of*OpenConnect*…
> based on the fact that we default to sending an accurate User-Agent
> header correctly describing the client as a non-Cisco one.

I don't doubt that for a second ;)

Thanks,
David