Cisco MFA

William Bell william.bell at frog.za.net
Tue Mar 23 17:18:39 GMT 2021


Hi

I heard today that they will be upgrading to a Fortigate system in a few 
weeks.

So I do not think we should put more energy into this.

Thanks for all your help Dan.

On 2021/03/23 18:28, Daniel Lenski wrote:
> On Mon, Mar 22, 2021 at 10:27 PM William Bell <william.bell at frog.za.net> wrote:
>>> It also seems to me that whoever set your server up just didn't test
>>> it with OpenConnect, or just didn't test it with Linux clients. It's
>>> hard to tell whether this was intentional (to prevent use of anything
>>> other than the official AnyConnect-for-Windows client) or just the
>>> result of misconfiguration/inadequate testing. In my experience, the
>>> latter is much more common. You probably have a good idea.
>> They either did not have the money to do it, I asked for the Linux
>> client and they said they did not have one, windows only.
>>
>> The version we are using seems no longer available at Cisco.
>>
>>> In any case, even if your administrators ARE TRYING to prevent you
>>> from connecting with a non-standard client, it's always possible to
>>> circumvent this… just have to figure out how to emulate the behavior
>>> of the official client in a more indistinguishable way.
>> Could it be that the client is reading the credentials from a cookie
>> that the browser temporary creates or something from the browser by some
>> other means. All browsers seem to work. So to get this working, at some
>> point openconnect should open/start the default browser and "do the same
>> thing"
> This sounds like your VPN may be using Cisco SSO/SAML. See
> https://gitlab.com/openconnect/openconnect/-/merge_requests/75 for
> work-in-progress to support this.
>
> Easy way to tell: run with `--dump-http-traffic` and see if the
> initial auth form contains tags like `<sso-`.
>
> Dan



More information about the openconnect-devel mailing list