Compatibility with 2 factor authentication?
Matthew Kitchin (Public/Usenet)
mkitchin.public at gmail.com
Tue Jun 4 17:20:52 EDT 2013
On 5/30/2013 4:25 AM, David Woodhouse wrote:
> You could try updating just openconnect, perhaps? Although you might
> need a newer OpenSSL for that...
I upgraded my router to Attitude Adjustment and Openconnect 4.08. It now
behaves differently with the Duo Security (https://www.duosecurity.com/)
product. I now know a little bit more about why they are doing what they
are doing. Duo Security had us load this javascript file on the web
interface:
https://gist.github.com/anonymous/5709611
I have changed the sensitive values. This allows the various VPN clients
to pop up a message on your smart phone or have your smart phone
generate a code that becomes your second password. I assume this
javascript is not agreeing with openconnect even for groups that do not
have this feature enabled. The Duo Security feature is enable per VPN
group.
I have a script that contains the username and password for the VPN
connection. On the older version of openconnect, it would prompt for
additional username and password, and would let me in as long as I put
in junk values. on 4.08, I get this:
------------
Please enter your username and password.
Username:Failed to obtain WebVPN cookie
root at OpenWrt:~#
------------
If I take the username and password out of the script, I get prompted
for username and password. Once I enter valid credentials, I am prompted
a second time. Again, I just have to put in junk values. This is all for
a group that is not secured by Duo Security. This is obviously not a
shortcoming of openconnect. I just didn't want to leave this issue
without explaining what happened. If there is any way I could make open
connect behave like a browser in this case, that would be really cool,
but it is not something I would expect to work.
More information about the openconnect-devel
mailing list