Cisco VPN and Azure AD

Watts, Brian b.watts at ucl.ac.uk
Tue Sep 7 00:45:29 PDT 2021 

Hi,

Our Cisco VPN has changed to using Azure MFA.
Opening a connection with Openconnect asks for username and password
but then just returns to the same prompt.
I do not get any notifications in the Authenticator app.
Am I missing some simple piece of configuration?

Thanks,
Brian



root at triton:~# openconnect -vvv asa-vpn-isd.ucl.ac.uk
POST https://asa-vpn-isd.ucl.ac.uk/
Attempting to connect to server 128.40.124.178:443
Connected to 128.40.124.178:443
SSL negotiation with asa-vpn-isd.ucl.ac.uk
Connected to HTTPS on asa-vpn-isd.ucl.ac.uk
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 07 Sep 2021 07:40:11 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://asa-vpn-isd.ucl.ac.uk/
Attempting to connect to server 128.40.124.178:443
Connected to 128.40.124.178:443
SSL negotiation with asa-vpn-isd.ucl.ac.uk
Connected to HTTPS on asa-vpn-isd.ucl.ac.uk
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 07 Sep 2021 07:40:11 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://asa-vpn-isd.ucl.ac.uk/+webvpn+/index.html
SSL negotiation with asa-vpn-isd.ucl.ac.uk
Connected to HTTPS on asa-vpn-isd.ucl.ac.uk
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Multi-Factor Authentication is now enabled on the ISD VPN, please have your device registered for MFA ready to approve access.  

Check for notifications in your app if you use it as your preferred method.
Please enter your username and password.
GROUP: [SSLVPN]:SSLVPN
Multi-Factor Authentication is now enabled on the ISD VPN, please have your device registered for MFA ready to approve access.  

Check for notifications in your app if you use it as your preferred method.
Please enter your username and password.
Username:
Password:
POST https://asa-vpn-isd.ucl.ac.uk/+webvpn+/index.html
Failed to write to SSL socket: The TLS connection was non-properly terminated.
SSL negotiation with asa-vpn-isd.ucl.ac.uk
Connected to HTTPS on asa-vpn-isd.ucl.ac.uk
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Multi-Factor Authentication is now enabled on the ISD VPN, please have your device registered for MFA ready to approve access.  

Check for notifications in your app if you use it as your preferred method.
Please enter your username and password.
Username:

More information about the openconnect-devel mailing list