Cannot enter 2FA code

Daniel Lenski dlenski at gmail.com
Mon Sep 12 10:18:38 PDT 2022


On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite <idb at tagvision.dk> wrote:
>
> I'm not the original poster, but I'm experiencing the same problem.
> Here's the details of the challenge form as requested.
> As you guessed, OpenConnect isn't recognizing that a field needs to be
> filled in
> and is just continuing without it.
>
> I guess it's this one?
>     <input type="hidden" name="challenge_code" value="0" />
>

That's a great catch. Also, a nearly identical situation was reported
~10 days ago on GitLab at
https://gitlab.com/openconnect/openconnect/-/issues/489

So now we have *THREE* reports of this on real Cisco servers.

> I don't know how OpenConnect is supposed to recognize it... weird it's
> "hidden".
>
>
>
> -+-+-+-
> Got HTTP response: HTTP/1.1 200 OK
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1
> Content-Security-Policy: default-src 'self' 'unsafe-inline'
> 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self';
> block-all-mixed-content
> X-Frame-Options: SAMEORIGIN
> Transfer-Encoding: chunked
> Content-Type: text/xml; charset=utf-8
> Cache-Control: no-store
> X-Transcend-Version: 1
> HTTP body chunked (-2)
> < <?xml version="1.0" encoding="UTF-8"?>
> < <!--
> <   Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
> <   All rights reserved.
> <  -->
> < <auth id="challenge">
> < <title>SSL VPN Service</title>
> <
> < <message>Indtast tilsendte engangskode</message>
> <
> < <form method="post" action="/+webvpn+/login/challenge.html">
> <
> <
> < <input type="submit" name="Continue" value="Continue" />
> < <input type="submit" name="Cancel" value="Cancel" />
> <
> < <input type="hidden" name="auth_handle" value="1482" />
> < <input type="hidden" name="status" value="2" />
> < <input type="hidden" name="username" value="kons-ibr" />
> < <input type="hidden" name="serverType" value="0" />
> < <input type="hidden" name="challenge_code" value="0" />
> < </form>
> < </auth>

Questions that may help resolve this issue.

1. Ian, does your server also fall back to the non-XML-based
authentication, like Henry Luis's report and like
https://gitlab.com/openconnect/openconnect/-/issues/489?
2. Does spoofing an official Cisco Windows client change anything?
(openconnect --os=win --useragent 'Cisco AnyConnect VPN Agent for
Windows 4.9.0195')?)

It may be easier to follow up on the GitLab issue:
https://gitlab.com/openconnect/openconnect/-/issues/489#note_1097313325

My best guess about the root cause here is that either it's a result
of a server being misconfigured/confused due to a lack of testing with
non-official clients, OR that it's an intentional obfuscation of the
authentication forms with the intention of confusing non-official
clients.

Dan

ps- Oddly, we also have a very similar issue with F5 VPNs (*completely
different protocol*) that has popped up recently, wherein the form
fields for 2FA codes get sent in a needlessly obfuscatory way:
https://gitlab.com/openconnect/openconnect/-/issues/493#note_1097084348



More information about the openconnect-devel mailing list