Cisco MFA

William Bell william.bell at frog.za.net
Mon Mar 22 20:38:22 GMT 2021


When I try --os=win

If forces me to the HIDDEN_NONMFA group, which I used to use and works. 
I no longer have permissions to use that group.

I have also included the windows client's output below.


$ sudo openconnect -vvv --useragent 'Cisco AnyConnect VPN Agent for 
Windows 4.7.03052' --dump-http-traffic  --servercert 
pin-sha256:hiddensha= --authgroup=HIDDEN_MFA --user=hiddenUserName 
956.888.747.602
POST https://956.888.747.602/
Attempting to connect to server 956.888.747.602:443
Connected to 956.888.747.602:443
SSL negotiation with 956.888.747.602
Server certificate verify failed: signer not found
Connected to HTTPS on 956.888.747.602 with ciphersuite 
(TLS1.2)-(RSA)-(AES-256-CBC)-(SHA1)
 > POST / HTTP/1.1
 > Host: 956.888.747.602
 > User-Agent: Cisco AnyConnect VPN Agent for Windows 4.7.03052
 > Accept: */*
 > Accept-Encoding: identity
 > X-Transcend-Version: 1
 > X-Aggregate-Auth: 1
 > X-AnyConnect-Platform: linux-64
 > X-Support-HTTP-Auth: true
 > X-Pad: 0000000000000000000000000000000000000000000000000
 > Content-Type: application/xml; charset=utf-8
 > Content-Length: 207
 >
 > <?xml version="1.0" encoding="UTF-8"?>
 > <config-auth client="vpn" type="init"><version 
who="vpn">v8.10-1</version><device-id>linux-64</device-id><group-access>https://956.888.747.602</group-access></config-auth>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 22 Mar 2021 20:16:01 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://956.888.747.602/
Attempting to connect to server 956.888.747.602:443
Connected to 956.888.747.602:443
SSL negotiation with 956.888.747.602
Server certificate verify failed: signer not found
Connected to HTTPS on 956.888.747.602 with ciphersuite 
(TLS1.2)-(RSA)-(AES-256-CBC)-(SHA1)
 > GET / HTTP/1.1
 > Host: 956.888.747.602
 > User-Agent: Cisco AnyConnect VPN Agent for Windows 4.7.03052
 > Accept: */*
 > Accept-Encoding: identity
 > X-Transcend-Version: 1
 > X-Support-HTTP-Auth: true
 > X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
 > Content-Type: application/x-www-form-urlencoded
 > Content-Length: 0
 >
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 22 Mar 2021 20:16:01 GMT
X-Frame-Options: SAMEORIGIN
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://956.888.747.602/+webvpn+/index.html
SSL negotiation with 956.888.747.602
Server certificate verify failed: signer not found
Connected to HTTPS on 956.888.747.602 with ciphersuite 
(TLS1.2)-(RSA)-(AES-256-CBC)-(SHA1)
 > GET /+webvpn+/index.html HTTP/1.1
 > Host: 956.888.747.602
 > User-Agent: Cisco AnyConnect VPN Agent for Windows 4.7.03052
 > Accept: */*
 > Accept-Encoding: identity
 > X-Transcend-Version: 1
 > X-Support-HTTP-Auth: true
 > X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
 > Content-Type: application/x-www-form-urlencoded
 > Content-Length: 0
 >
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2013 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
< <input type="text" name="secondary_username" label="Username:" 
second-auth="1" />
< <input type="password" name="secondary_password" label="Password:" 
second-auth="1" />
< <select name="group_list" label="GROUP:">
< <option value="HIDDEN_MFA" secondary_username="" 
secondary_username_editable="false" second-auth="1" noaaa="0" 
 >HIDDEN_MFA</option><option value="HIDDEN_NONMFA" noaaa="0" 
 >HIDDEN_NONMFA</option></select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
< </form>
< </auth>
<
Please enter your username and password.
Please enter your username and password.
Password:
Password:
POST https://956.888.747.602/+webvpn+/index.html
 > POST /+webvpn+/index.html HTTP/1.1
 > Host: 956.888.747.602
 > User-Agent: Cisco AnyConnect VPN Agent for Windows 4.7.03052
 > Cookie: webvpnlogin=1
 > Accept: */*
 > Accept-Encoding: identity
 > X-Transcend-Version: 1
 > X-Support-HTTP-Auth: true
 > X-Pad: 00000000000000000
 > Content-Type: application/x-www-form-urlencoded
 > Content-Length: 111
 >
 > 
group_list=HIDDEN_MFA&username=hiddenUserName&password=HiddenPassword&secondary_username=&secondary_password=HiddenPassword
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2013 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
< <input type="text" name="secondary_username" label="Username:" 
second-auth="1" />
< <input type="password" name="secondary_password" label="Password:" 
second-auth="1" />
< <select name="group_list" label="GROUP:">
< <option value="HIDDEN_MFA" secondary_username="" 
secondary_username_editable="false" second-auth="1" noaaa="0" 
 >HIDDEN_MFA</option><option value="HIDDEN_NONMFA" noaaa="0" 
 >HIDDEN_NONMFA</option></select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
< </form>
< </auth>
<
Please enter your username and password.
Username:hiddenUserName
Password:
Password:
POST https://956.888.747.602/+webvpn+/index.html
 > POST /+webvpn+/index.html HTTP/1.1
 > Host: 956.888.747.602
 > User-Agent: Cisco AnyConnect VPN Agent for Windows 4.7.03052
 > Cookie: webvpnlogin=1
 > Accept: */*
 > Accept-Encoding: identity
 > X-Transcend-Version: 1
 > X-Support-HTTP-Auth: true
 > X-Pad: 00000000000000000
 > Content-Type: application/x-www-form-urlencoded
 > Content-Length: 111
 >
 > 
group_list=HIDDEN_MFA&username=hiddenUserName&password=HiddenPassword&secondary_username=&secondary_password=HiddenPassword
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; 
secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2013 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
< <input type="text" name="secondary_username" label="Username:" 
second-auth="1" />
< <input type="password" name="secondary_password" label="Password:" 
second-auth="1" />
< <select name="group_list" label="GROUP:">
< <option value="HIDDEN_MFA" secondary_username="" 
secondary_username_editable="false" second-auth="1" noaaa="0" 
 >HIDDEN_MFA</option><option value="HIDDEN_NONMFA" noaaa="0" 
 >HIDDEN_NONMFA</option></select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
< </form>
< </auth>
<
Please enter your username and password.
Username:


Windows client output

20:04:15    Ready to connect.
20:04:25    Contacting 956.888.747.602.
20:05:12    Checking status of browser based authentication...
20:05:15    Checking status of browser based authentication...
20:05:18    Checking status of browser based authentication...
20:05:21    Checking status of browser based authentication...
20:05:24    Checking status of browser based authentication...
20:05:27    Checking status of browser based authentication...
20:05:30    Checking status of browser based authentication...
20:05:34    Checking status of browser based authentication...
20:05:37    Checking status of browser based authentication...
20:05:40    Checking status of browser based authentication...
20:05:43    Checking status of browser based authentication...
20:05:46    Checking status of browser based authentication...
20:05:49    Checking status of browser based authentication...
20:05:49    Establishing VPN session...
20:05:49    The AnyConnect Downloader is performing update checks...
20:05:49    Checking for profile updates...
20:05:49    Checking for product updates...
20:05:49    Checking for customization updates...
20:05:49    Performing any required updates...
20:05:49    The AnyConnect Downloader updates have been completed.
20:05:49    Establishing VPN - Initiating connection...
20:05:50    Establishing VPN session...
20:05:50    Establishing VPN - Examining system...
20:05:50    Establishing VPN - Activating VPN adapter...
20:05:54    Establishing VPN - Configuring system...
20:05:54    Establishing VPN...
20:05:54    Connected to 956.888.747.602.


On 2021/03/22 21:28, Daniel Lenski wrote:
> On Mon, Mar 22, 2021 at 11:13 AM William Bell <william.bell at frog.za.net> wrote:
>> Hi
>>
>> It seems that the push/pull errors have gone.
> It sounds like something is being changed on the server side.
>
>>
>> In the windows client:
>>
>> Click AnyConnect
>>
>> Warns about the certificate > connect anyway
>>
>> Opens Browser and asks for account > connects but sometimes sends a SMS
>> with a number to type in.
>>
>> Says connection is established.
>>
>>
>> I do not have a secondary password.
> Okay, so OpenConnect is (somehow) incorrectly parsing the forms sent
> by the server. Either that or the server is sending different forms to
> OpenConnect and AnyConnect.
>
> Try either/both of these…
> - Pretend to be running Cisco AnyConnect for Windows (openconnect
> --os=win --useragent 'Cisco AnyConnect VPN Agent for Windows
> 4.7.03052')
> - Add `--dump-http-traffic` to the command line to show
>
>> I think that some session certificate is needed from the browser.
> Do you mean a TLS client certificate? If that's needed, then you'll
> certainly need to specify it with OpenConnect as well. See the `-c`,
> `-k` options in the manual
> (https://openconnect.gitlab.io/openconnect/manual.html).
>
> Cisco servers normally give a clear error message when they require a
> client cert, but none is specified… though it wouldn't surprise me if
> there's some way to (mis)configure them not to show this.
>
> Dan
>
>
>> I think that some session
>> certificate is needed from the browser.
>
>
>> I tried typing in my stuff backwards and it still does not work.
>>
>> The vpn worked fine before the MFA upgrade.
>>
>> Thanks
>>
>>
>>
>>
>> On 2021/03/22 19:36, Daniel Lenski wrote:
>>> On Mon, Mar 22, 2021 at 9:55 AM William Bell <william.bell at frog.za.net> wrote:
>>>> $ openconnect --version
>>>> OpenConnect version v8.10-1
>>>> Using GnuTLS 3.6.15. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
>>>> Supported protocols: anyconnect (default), nc, gp, pulse
>>>>
>>>> $ uname --all
>>>> Linux williambell 5.8.0-45-generic #51-Ubuntu SMP Fri Feb 19 13:24:51 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
>>>>
>>>> (added hidden stuff and invalid IP address, the certificate sha is valid but expired.)
>>>>
>>>> $ sudo openconnect -vvv --servercert pin-sha256:hiddensha= --authgroup=HIDDEN_MFA --user=hiddenUserName 956.888.747.602
>>> Thanks. I'm not seeing any of the "Error in the push/pull function" in
>>> your log here… are those no longer occurring?
>>>
>>> It looks like your VPN is just repeatedly showing you the
>>> username/password/secondary-password form because you're not entering
>>> the expected values.
>>>
>>> I notice that both fields are labeled "Password: " in your case…
>>> 1. Do the labels *differ* in the official AnyConnect client? (run
>>> `openconnect --dump-http-traffic` to show the raw XML, which may help
>>> us figure out where the labels come from)
>>> 2. Is it possible that your VPN has the password and
>>> secondary-password fields *reversed*, thus causing you to enter the
>>> values backwards?
>>> 3. We've seen a case of password-field-reversal before
>>> (https://gitlab.com/openconnect/openconnect/-/issues/35#note_168906231),
>>> but we don't know how to autodetect it.
>>>
>>> Dan



More information about the openconnect-devel mailing list