Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jan 12 06:52:56 EST 2014
On 01/12/2014 08:22 AM, Kevin Cernekee wrote:
>> However my assumption is that, that the problem is not the
>> format being used, but the fact that newer AnyConnect versions use
>> multiple TCP connections instead of one. One for the username and one
>> for the password which is killing the state machine in
>> src/worker-auth.c.
>
> I agree that this looks like a likely culprit for the problem you
> reported. I played around with "openconnect --no-http-keepalive" and
> also saw problems using ocserv with plain authentication.
Indeed that was the issue and it seems it is now fixed by having
ocserv use a compact authentication method (ask both username
and password in one go) if the client does auth using the
"Connection: Close" HTTP headers. That would work only if a single
password is required from PAM, but I guess that's a reasonable
trade-off.
Now the client manages to establish a TCP connection but terminates
immediately because "VPN establishment capability from a remote
Desktop is disabled"... So I guess there is again something it doesn't
like.
I give up for now.
regards,
Nikos
More information about the openconnect-devel
mailing list