Hi
It seems that the push/pull errors have gone.
In the windows client:
Click AnyConnect
Warns about the certificate > connect anyway
Opens Browser and asks for account > connects but sometimes sends a SMS
with a number to type in.
Says connection is established.
I do not have a secondary password. I think that some session
certificate is needed from the browser.
I tried typing in my stuff backwards and it still does not work.
The vpn worked fine before the MFA upgrade.
Thanks
On 2021/03/22 19:36, Daniel Lenski wrote:
On Mon, Mar 22, 2021 at 9:55 AM William Bell <william.b...@frog.za.net> wrote:
$ openconnect --version
OpenConnect version v8.10-1
Using GnuTLS 3.6.15. Features present: TPMv2, PKCS#11, RSA software token, HOTP
software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
$ uname --all
Linux williambell 5.8.0-45-generic #51-Ubuntu SMP Fri Feb 19 13:24:51 UTC 2021
x86_64 x86_64 x86_64 GNU/Linux
(added hidden stuff and invalid IP address, the certificate sha is valid but
expired.)
$ sudo openconnect -vvv --servercert pin-sha256:hiddensha=
--authgroup=HIDDEN_MFA --user=hiddenUserName 956.888.747.602
Thanks. I'm not seeing any of the "Error in the push/pull function" in
your log here… are those no longer occurring?
It looks like your VPN is just repeatedly showing you the
username/password/secondary-password form because you're not entering
the expected values.
I notice that both fields are labeled "Password: " in your case…
1. Do the labels *differ* in the official AnyConnect client? (run
`openconnect --dump-http-traffic` to show the raw XML, which may help
us figure out where the labels come from)
2. Is it possible that your VPN has the password and
secondary-password fields *reversed*, thus causing you to enter the
values backwards?
3. We've seen a case of password-field-reversal before
(https://gitlab.com/openconnect/openconnect/-/issues/35#note_168906231),
but we don't know how to autodetect it.
Dan
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
