Re: OpenConnect stopped working with TOTP where AnyConnect still works…
Daniel Lenski
dlenski at gmail.com
Thu May 25 14:53:30 PDT 2023
On Thu, May 25, 2023 at 12:43 PM David Raison <david at tentwentyfour.lu> wrote:
> 1. In the http communication with the endpoint, when it comes to the
> point where the web UI or the anyconnect client prompt for the token,
> there is simply no field included in the XML response sent by the
> server, only the <message> element:
>
> < <?xml version="1.0" encoding="UTF-8"?>
> < <!--
> < Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
> < All rights reserved.
> < -->
> < <auth id="challenge">
> < <title>SSL VPN Service</title>
> <
> < <message>Enter your TOKEN password</message>
> <
> < <form method="post" action="/+webvpn+/login/challenge.html">
> <
> <
> < <input type="submit" name="Continue" value="Continue" />
> < <input type="submit" name="Cancel" value="Cancel" />
> <
> < <input type="hidden" name="auth_handle" value="2032" />
> < <input type="hidden" name="status" value="2" />
> < <input type="hidden" name="username" value="******" />
> < <input type="hidden" name="serverType" value="0" />
> < <input type="hidden" name="challenge_code" value="0" />
> < </form>
> < </auth>
Your log shows that you're getting non-XMLPOST responses from the
server. This is an olllllllllllllllld authentication mode of Cisco
servers, which is vestigial and broken on most VPNs, because the
admins don't know about it, and don't test against it.
Quite likely, you've run into issue #544 (~= "newer Cisco servers
require `--useragent=AnyConnect`, otherwise they get stuck in the
usually non-functional non-XMLPOST auth path").
See more details in
https://gitlab.com/openconnect/openconnect/-/issues/544#note_1222936179,
and let us know if adding `--useragent=AnyConnect` addresses the
problem.
This is a pretty maddening issue. It's almost as if Cisco
intentionally changed their servers’ responses to make authentication
fail in a particularly misleading way for users of *OpenConnect*…
based on the fact that we default to sending an accurate User-Agent
header correctly describing the client as a non-Cisco one.
More information about the openconnect-devel
mailing list