Is it possible to force use of the authgroup?
Andrew Stubbs
andrew.stubbs at gmail.com
Fri Apr 11 03:16:44 PDT 2014
I've been using Openconnect for a year or two now, and it has worked well.
There have been a few hiccoughs, now and then, when something changed in
the interface (--no-xmlpost and the like), and it seems I've hit another
one of those ....
Something changed on the server end last night, and this morning I
cannot authenticate because it does not prompt which authgroup I want to
use. When I try to login anyway I get a message that I don't have
permission to do that and I should use the authgroup.
Basically it wants me to log in using an option that it hasn't presented
to me.
I've tried with and without the --authgroup setting, but neither works.
I presume this is because no authgroups are prompted for. Is it possible
to insist on logging in that way?
The Windows Anyconnect client works fine, so I presume something is
possible.
In case it helps, the output, with --verbose, looks like this:
GET https://<redacted>.com/
Attempting to connect to server 12.202.168.11:443
Using certificate file /home/ams/.cisco/SecureAuth-cert.pfx
Enter PKCS#12 pass phrase:
Using client certificate 'astubbs@<redacted>.com'
Adding supporting CA 'MFCIssuer3Sierra.banner.multifactortrust3.com'
SSL negotiation with <redacted>.com
Connected to HTTPS on <redacted>.com
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 11 Apr 2014 08:32:29 GMT
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://<redacted>.com/+webvpn+/index.html
SSL negotiation with <redacted>.com
Connected to HTTPS on <redacted>.com
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
GET https://<redacted>.com/CACHE/sdesktop/install/binaries/sfinst
Got HTTP response: HTTP/1.1 200 OK
Content-Length: 916
Cache-Control: max-age=0
X-Transcend-Version: 1
HTTP body length: (916)
GET https://<redacted>.com/+CSCOE+/sdesktop/wait.html
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 11 Apr 2014 08:32:30 GMT
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<redacted>.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with <redacted>.com
Connected to HTTPS on <redacted>.com
Got HTTP response: HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 11 Apr 2014 08:32:32 GMT
Location: /+webvpn+/index.html
Set-Cookie: sdesktop=19327DBF37D897DE7BC25B19; path=/; secure
HTTP body chunked (-2)
GET https://<redacted>.com/+webvpn+/index.html
SSL negotiation with <redacted>.com
Connected to HTTPS on <redacted>.com
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
Username:astubbs
Password:
POST https://<redacted>.com/+webvpn+/index.html
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
Login denied.
You have insufficient privileges. Please try again using
'<my-usual-authgroup>' instead of 'login'.
A=��
Please enter your username and password.
Username:^C
I've substituted the identifying details that might get me in trouble,
but hopefully you get the idea. I very much doubt that IT will have any
interest in fixing it as long as the official client works, so any
adjustments will have to be on the client side.
Any suggestions?
Thanks in advance
Andrew
More information about the openconnect-devel
mailing list