Hi,
as outlined in the subject, we have been using openconnect as an
anyconnect replacement for a while and while it still works for the
certificate authgroup, it recently stopped working for us with the
password authgroup, which requires a TOTP as a second factor.
I have determined two things so far:
1. In the http communication with the endpoint, when it comes to the
point where the web UI or the anyconnect client prompt for the token,
there is simply no field included in the XML response sent by the
server, only the <message> element:
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
< Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
< All rights reserved.
< -->
< <auth id="challenge">
< <title>SSL VPN Service</title>
<
< <message>Enter your TOKEN password</message>
<
< <form method="post" action="/+webvpn+/login/challenge.html">
<
<
< <input type="submit" name="Continue" value="Continue" />
< <input type="submit" name="Cancel" value="Cancel" />
<
< <input type="hidden" name="auth_handle" value="2032" />
< <input type="hidden" name="status" value="2" />
< <input type="hidden" name="username" value="******" />
< <input type="hidden" name="serverType" value="0" />
< <input type="hidden" name="challenge_code" value="0" />
< </form>
< </auth>
<
<
And so the reaction of OpenConnect is to simply POST without first
prompting for any values:
Enter your TOKEN password
POST https://vpn.host.tld/+webvpn+/login/challenge.html
> POST /+webvpn+/login/challenge.html HTTP/1.1
2. The anyconnect client under Windows either isn't bothered by the lack
of the input field, or receives a different response (something which I
have as of yet been unable to verify).
Cf. the attached screenshot or this:
PS C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client>
.\vpncli.exe connect https://vpn.host.tld
Cisco AnyConnect Secure Mobility Client (version 4.10.05095) .
Copyright (c) 2004 - 2022 Cisco Systems, Inc. All Rights Reserved.
>> state: Disconnected
>> state: Disconnected
>> notice: Ready to connect.
>> registered with local VPN subsystem.
>> contacting host (https://vpn.host.tld) for login information...
>> notice: Contacting https://vpn.host.tld.
>> warning: No valid certificates available for authentication.
>> Please enter your username and password.
0) Certificate
1) Password
Group: [Password]
Username: [********]
Password:
>> Authentication Message
>> Enter your TOKEN password
>>
Answer:
So, I guess, my main question would be, how would I be able to dump the
response from the server on Windows? I've seen there is a DART tool that
is supposed to gather logs, but I don't have access to it.
I've looked through AppData and Temp directories, but nothing caught my
eye.
Any advice or help would be welcome.
Thanks,
David
--
*TenTwentyFour S.à r.l.*
www.tentwentyfour.lu <https://www.tentwentyfour.lu>
*T*: +352 20 211 1024
*F*: +352 20 211 1023
1 place de l'Hôtel de Ville
4138 Esch-sur-Alzette
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
