Re: OpenConnect stopped working with TOTP where AnyConnect still works…
David Raison
david at tentwentyfour.lu
Fri May 26 00:34:41 PDT 2023
Hi Daniel,
tl;dr: Thanks, setting the user agent to AnyConnect made it work.
On 25/05/2023 23:53, Daniel Lenski wrote:
> Your log shows that you're getting non-XMLPOST responses from the
> server. This is an olllllllllllllllld authentication mode of Cisco
> servers, which is vestigial and broken on most VPNs, because the
> admins don't know about it, and don't test against it.
I checked, just to make sure, that that wasn't my fault. The snippet I
pasted was actually from a request where I had explicitly used the
--no-xmlpost flag because I had read about it in another thread and
wanted to consider every possibility.
But I just ran it again without that flag, and the result (response) is
exactly the same.
> Quite likely, you've run into issue #544 (~= "newer Cisco servers
> require `--useragent=AnyConnect`, otherwise they get stuck in the
> usually non-functional non-XMLPOST auth path").
>
> See more details in
> https://gitlab.com/openconnect/openconnect/-/issues/544#note_1222936179,
> and let us know if adding `--useragent=AnyConnect` addresses the
> problem.
Yes, that seems to have been exactly it. Setting the useragent to
AnyConnect makes it work again. The response I get now is a completely
different one and I can also see that openconnect is no longer making
requests using query parameters but posting XML bodies instead.
> This is a pretty maddening issue. It's almost as if Cisco
> intentionally changed their servers’ responses to make authentication
> fail in a particularly misleading way for users of*OpenConnect*…
> based on the fact that we default to sending an accurate User-Agent
> header correctly describing the client as a non-Cisco one.
I don't doubt that for a second ;)
Thanks,
David
More information about the openconnect-devel
mailing list