OpenConnect stopped working with TOTP where AnyConnect still works…

David Raison david at tentwentyfour.lu
Thu May 25 09:49:26 PDT 2023


Hi,

as outlined in the subject, we have been using openconnect as an 
anyconnect replacement for a while and while it still works for the 
certificate authgroup, it recently stopped working for us with the 
password authgroup, which requires a TOTP as a second factor.


I have determined two things so far:

1. In the http communication with the endpoint, when it comes to the 
point where the web UI or the anyconnect client prompt for the token, 
there is simply no field included in the XML response sent by the 
server, only the <message> element:

< <?xml version="1.0" encoding="UTF-8"?>
< <!--
<   Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
<   All rights reserved.
<  -->
< <auth id="challenge">
< <title>SSL VPN Service</title>
<
< <message>Enter your TOKEN password</message>
<
< <form method="post" action="/+webvpn+/login/challenge.html">
<
<
< <input type="submit" name="Continue" value="Continue" />
< <input type="submit" name="Cancel" value="Cancel" />
<
< <input type="hidden" name="auth_handle" value="2032" />
< <input type="hidden" name="status" value="2" />
< <input type="hidden" name="username" value="******" />
< <input type="hidden" name="serverType" value="0" />
< <input type="hidden" name="challenge_code" value="0" />
< </form>
< </auth>
<
<

And so the reaction of OpenConnect is to simply POST without first 
prompting for any values:

Enter your TOKEN password
POST https://vpn.host.tld/+webvpn+/login/challenge.html
 > POST /+webvpn+/login/challenge.html HTTP/1.1

2. The anyconnect client under Windows either isn't bothered by the lack 
of the input field, or receives a different response (something which I 
have as of yet been unable to verify).

Cf. the attached screenshot or this:

PS C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client> 
.\vpncli.exe connect https://vpn.host.tld
Cisco AnyConnect Secure Mobility Client (version 4.10.05095) .

Copyright (c) 2004 - 2022 Cisco Systems, Inc.  All Rights Reserved.


   >> state: Disconnected
   >> state: Disconnected
   >> notice: Ready to connect.
   >> registered with local VPN subsystem.
   >> contacting host (https://vpn.host.tld) for login information...
   >> notice: Contacting https://vpn.host.tld.
   >> warning: No valid certificates available for authentication.

   >> Please enter your username and password.
     0) Certificate
     1) Password
Group: [Password]

Username: [********]
Password:

   >> Authentication Message
   >> Enter your TOKEN password

   >>
Answer:


So, I guess, my main question would be, how would I be able to dump the 
response from the server on Windows? I've seen there is a DART tool that 
is supposed to gather logs, but I don't have access to it.

I've looked through AppData and Temp directories, but nothing caught my 
eye.


Any advice or help would be welcome.

Thanks,
David


-- 

*TenTwentyFour S.à r.l.*
www.tentwentyfour.lu <https://www.tentwentyfour.lu>
*T*: +352 20 211 1024
*F*: +352 20 211 1023
1 place de l'Hôtel de Ville
4138 Esch-sur-Alzette

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot-2023-05-25-135707.png
Type: image/png
Size: 49650 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20230525/5e3bc61d/attachment-0001.png>


More information about the openconnect-devel mailing list