Re: Cisco MFA

Mon, 22 Mar 2021 22:28:42 -0700 


On 2021/03/23 00:00, Daniel Lenski wrote:

On Mon, Mar 22, 2021 at 1:38 PM William Bell <william.b...@frog.za.net> wrote:

When I try --os=win

If forces me to the HIDDEN_NONMFA group, which I used to use and works.
I no longer have permissions to use that group.

I have also included the windows client's output below.

Lemme get this straight…

- If you use OpenConnect to spoof the AnyConnect-for-Windows client,
the server forces you to use the HIDDEN_NONMFA group, which you don't
have access to?
- If you use the AnyConnect-for-Windows client, it allows you to
connect correctly?

Yes, only if I make os=win


What's the difference between the two? How are the requests from
OpenConnect-spoofing-AnyConnect distinguished from AnyConnect? (This
question *might* require a MITM log to answer.)
I will see if I can get this log, it may take some time, maybe the weekend only. 

It also seems to me that whoever set your server up just didn't test
it with OpenConnect, or just didn't test it with Linux clients. It's
hard to tell whether this was intentional (to prevent use of anything
other than the official AnyConnect-for-Windows client) or just the
result of misconfiguration/inadequate testing. In my experience, the
latter is much more common. You probably have a good idea.
They either did not have the money to do it, I asked for the Linux client and they said they did not have one, windows only. 

The version we are using seems no longer available at Cisco.



In any case, even if your administrators ARE TRYING to prevent you
from connecting with a non-standard client, it's always possible to
circumvent this… just have to figure out how to emulate the behavior
of the official client in a more indistinguishable way.
Could it be that the client is reading the credentials from a cookie that the browser temporary creates or something from the browser by some other means. All browsers seem to work. So to get this working, at some point openconnect should open/start the default browser and "do the same thing" 


Thanks for your help so far.



Dan


_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to