AnyConnect MFA code entry does not work with latest OpenConnect

David Gstir david at sigma-star.at
Mon May 22 09:39:24 PDT 2023


Hi!

I’m running into issue #489 [1] with the latest OpenConnect v9.12-3-ga4f1a345.
Unfortunately none of the suggested solutions there work for me. I’ve also tried
the --form-entry workaround from [2]. See the dump below.

It does work fine though with the official Cisco AnyConnect Secure Mobility Client v4.10.05095 for Linux. :-/

Do you have any idea or hint on how to work around that?

Thanks!
- David

[1] https://gitlab.com/openconnect/openconnect/-/issues/489
[2] https://gitlab.com/Levenson/openconnect/-/commit/cfbf1c79eba88565e52ebb16473dd759044a8d16



me at host:~/openconnect/openconnect$ ./openconnect -vvv --dump --user MYUSERNAME --os=win --useragent 'Cisco AnyConnect VPN Agent for Windows 4.9.0195' XXXXXX
POST https://XXXXXX/
Attempting to connect to server XXXXXX:443
Connected to XXXXXX:443
SSL negotiation with XXXXXX
Connected to HTTPS on XXXXXX with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
> POST / HTTP/1.1
> Host: XXXXXX
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.9.0195
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: XXXXX
> X-AnyConnect-STRAP-DH-Pubkey: XXXXX
> X-Pad: 000000000
> Content-Type: application/xml; charset=utf-8
> Content-Length: 375
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init" aggregate-auth-version="2"><version who="vpn">v9.12-3-ga4f1a345</version><device-id>win</device-id><capabilities><auth-method>single-sign-on-v2</auth-method><auth-method>single-sign-on-external-browser</auth-method></capabilities><group-access>https://XXXXXX/</group-access></config-auth>
Got HTTP response: HTTP/1.1 404 Not Found
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Mon, 22 May 2023 16:24:25 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
HTTP body http 1.0 (-1)
TLS/DTLS socket closed uncleanly
Unexpected 404 result from server
GET https://XXXXXX/
Attempting to connect to server XXXXXX:443
Connected to XXXXXX:443
SSL negotiation with XXXXXX
Connected to HTTPS on XXXXXX with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
> GET / HTTP/1.1
> Host: XXXXXX
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.9.0195
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: XXXXX
> X-AnyConnect-STRAP-DH-Pubkey: XXXXX
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Mon, 22 May 2023 16:24:25 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length:  (0)
GET https://XXXXXX/+webvpn+/index.html
SSL negotiation with XXXXXX
Connected to HTTPS on XXXXXX with ciphersuite (TLS1.2)-(ECDHE-X25519)-(RSA-SHA256)-(AES-256-GCM)
> GET /+webvpn+/index.html HTTP/1.1
> Host: XXXXXX
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.9.0195
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: XXXXX
> X-AnyConnect-STRAP-DH-Pubkey: XXXXX
> X-Pad: 0000000000000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 0
>
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2013, 2018-2019 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
<
<
< <select name="group_list" label="GROUP:">
< <option value="Cisco_VPN_Users" noaaa="0" >1-Default</option></select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
< </form>
< </auth>
<
Please enter your username and password.
GROUP: [1-Default]:1-Default
Please enter your username and password.
Password:
POST https://XXXXXX/+webvpn+/index.html
> POST /+webvpn+/index.html HTTP/1.1
> Host: XXXXXX
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.9.0195
> Cookie: webvpnlogin=1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: XXXXX
> X-AnyConnect-STRAP-DH-Pubkey: XXXXX
> X-Pad: 000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 80
>
> group_list=Cisco_VPN_Users&username=MYUSERNAME&password=MYPASSWORD
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: tg=XXXXX; expires=Tue, 23 May 2023 06:24:34 GMT; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="challenge">
< <title>SSL VPN Service</title>
<
< <message>Enter PASSCODE</message>
<
< <form method="post" action="/+webvpn+/login/challenge.html">
<
<
< <input type="submit" name="Continue" value="Continue" />
< <input type="submit" name="Cancel" value="Cancel" />
<
< <input type="hidden" name="auth_handle" value="809" />
< <input type="hidden" name="status" value="2" />
< <input type="hidden" name="username" value="MYUSERNAME" />
< <input type="hidden" name="serverType" value="1" />
< <input type="hidden" name="challenge_code" value="0" />
< </form>
< </auth>
<
<
Enter PASSCODE
POST https://XXXXXX/+webvpn+/login/challenge.html
> POST /+webvpn+/login/challenge.html HTTP/1.1
> Host: XXXXXX
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.9.0195
> Cookie: webvpnlogin=1; tg=XXXXX
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: XXXXX
> X-AnyConnect-STRAP-DH-Pubkey: XXXXX
> X-Pad: 0000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 79
>
> auth_handle=809&status=2&username=MYUSERNAME&serverType=1&challenge_code=0
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="challenge">
< <title>SSL VPN Service</title>
<
< <message>Sending...</message>
<
< <form method="post" action="/+webvpn+/login/challenge.html">
<
<
< <input type="submit" name="Continue" value="Continue" />
< <input type="submit" name="Cancel" value="Cancel" />
<
< <input type="hidden" name="auth_handle" value="809" />
< <input type="hidden" name="status" value="2" />
< <input type="hidden" name="username" value="MYUSERNAME" />
< <input type="hidden" name="serverType" value="1" />
< <input type="hidden" name="challenge_code" value="0" />
< </form>
< </auth>
<
<
Sending...
POST https://XXXXXX/+webvpn+/login/challenge.html
> POST /+webvpn+/login/challenge.html HTTP/1.1
> Host: XXXXXX
> User-Agent: Cisco AnyConnect VPN Agent for Windows 4.9.0195
> Cookie: webvpnlogin=1; tg=XXXXX
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-AnyConnect-STRAP-Pubkey: XXXXX
> X-AnyConnect-STRAP-DH-Pubkey: XXXXX
> X-Pad: 0000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 79
>
> auth_handle=809&status=2&username=MYUSERNAME&serverType=1&challenge_code=0
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="challenge">
< <title>SSL VPN Service</title>
<
< <message>Sending...</message>
<
< <form method="post" action="/+webvpn+/login/challenge.html">
<
<
< <input type="submit" name="Continue" value="Continue" />
< <input type="submit" name="Cancel" value="Cancel" />
<
< <input type="hidden" name="auth_handle" value="809" />
< <input type="hidden" name="status" value="2" />
< <input type="hidden" name="username" value="MYUSERNAME" />
< <input type="hidden" name="serverType" value="1" />
< <input type="hidden" name="challenge_code" value="0" />
< </form>
< </auth>
<
<
Sending...
3 consecutive empty forms, aborting loop
Failed to complete authentication




More information about the openconnect-devel mailing list