Cannot enter 2FA code

Daniel Lenski dlenski at
Tue Sep 13 11:35:49 PDT 2022

On Tue, Sep 13, 2022 at 3:43 AM Ian Braithwaite <idb at> wrote:
> On 12/09/2022 19:18, Daniel Lenski wrote:
> > On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite <idb at> wrote:
> >> 1. Ian, does your server also fall back to the non-XML-based
> >> authentication, like Henry Luis's report and like
> >>
> Yes it does (redirect, GET /+webvpn+/index.html).
> >> 2. Does spoofing an official Cisco Windows client change anything?
> >> (openconnect --os=win --useragent 'Cisco AnyConnect VPN Agent for
> >> Windows 4.9.0195')?)
> Very much - OpenConnect successfully connects, without the redirect.

Excellent. Quick follow-up: does it require *both* of those arguments
to connect successfully? Or is simply `--os=win` sufficient?

> The server response is completely different - the hidden fields are gone
> and it has a normal password field that OpenConnect handles just fine:

Yay, Cisco. 🤦🏻‍♂️🤦🏻‍♂️🤦🏻‍♂️

> >> My best guess about the root cause here is that either it's a result
> >> of a server being misconfigured/confused due to a lack of testing with
> >> non-official clients, OR that it's an intentional obfuscation of the
> >> authentication forms with the intention of confusing non-official
> >> clients.
> Or even both :-).

Agreed. "Never attribute to malice that which is adequately explained
by incompetence"… but in this case there may indeed be a bit of both.

Thank you, this was a great job digging into the mailing list for
related past issues, and clears up some mysteries.

Perhaps we should update our Cisco-specific docs at (source is at
to emphasize the need to spoof official Cisco clients to workaround
authentication issues in some cases. Merge requests would be welcome


More information about the openconnect-devel mailing list