Cisco MFA

Daniel Lenski dlenski at gmail.com
Mon Mar 22 22:00:02 GMT 2021


On Mon, Mar 22, 2021 at 1:38 PM William Bell <william.bell at frog.za.net> wrote:
>
> When I try --os=win
>
> If forces me to the HIDDEN_NONMFA group, which I used to use and works.
> I no longer have permissions to use that group.
>
> I have also included the windows client's output below.

Lemme get this straight…

- If you use OpenConnect to spoof the AnyConnect-for-Windows client,
the server forces you to use the HIDDEN_NONMFA group, which you don't
have access to?
- If you use the AnyConnect-for-Windows client, it allows you to
connect correctly?

What's the difference between the two? How are the requests from
OpenConnect-spoofing-AnyConnect distinguished from AnyConnect? (This
question *might* require a MITM log to answer.)

It also seems to me that whoever set your server up just didn't test
it with OpenConnect, or just didn't test it with Linux clients. It's
hard to tell whether this was intentional (to prevent use of anything
other than the official AnyConnect-for-Windows client) or just the
result of misconfiguration/inadequate testing. In my experience, the
latter is much more common. You probably have a good idea.

In any case, even if your administrators ARE TRYING to prevent you
from connecting with a non-standard client, it's always possible to
circumvent this… just have to figure out how to emulate the behavior
of the official client in a more indistinguishable way.

Dan



More information about the openconnect-devel mailing list