On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite <i...@tagvision.dk> wrote: > > I'm not the original poster, but I'm experiencing the same problem. > Here's the details of the challenge form as requested. > As you guessed, OpenConnect isn't recognizing that a field needs to be > filled in > and is just continuing without it. > > I guess it's this one? > <input type="hidden" name="challenge_code" value="0" /> >
That's a great catch. Also, a nearly identical situation was reported ~10 days ago on GitLab at https://gitlab.com/openconnect/openconnect/-/issues/489 So now we have *THREE* reports of this on real Cisco servers. > I don't know how OpenConnect is supposed to recognize it... weird it's > "hidden". > > > > -+-+-+- > Got HTTP response: HTTP/1.1 200 OK > Strict-Transport-Security: max-age=31536000; includeSubDomains > X-Content-Type-Options: nosniff > X-XSS-Protection: 1 > Content-Security-Policy: default-src 'self' 'unsafe-inline' > 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; > block-all-mixed-content > X-Frame-Options: SAMEORIGIN > Transfer-Encoding: chunked > Content-Type: text/xml; charset=utf-8 > Cache-Control: no-store > X-Transcend-Version: 1 > HTTP body chunked (-2) > < <?xml version="1.0" encoding="UTF-8"?> > < <!-- > < Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc. > < All rights reserved. > < --> > < <auth id="challenge"> > < <title>SSL VPN Service</title> > < > < <message>Indtast tilsendte engangskode</message> > < > < <form method="post" action="/+webvpn+/login/challenge.html"> > < > < > < <input type="submit" name="Continue" value="Continue" /> > < <input type="submit" name="Cancel" value="Cancel" /> > < > < <input type="hidden" name="auth_handle" value="1482" /> > < <input type="hidden" name="status" value="2" /> > < <input type="hidden" name="username" value="kons-ibr" /> > < <input type="hidden" name="serverType" value="0" /> > < <input type="hidden" name="challenge_code" value="0" /> > < </form> > < </auth> Questions that may help resolve this issue. 1. Ian, does your server also fall back to the non-XML-based authentication, like Henry Luis's report and like https://gitlab.com/openconnect/openconnect/-/issues/489? 2. Does spoofing an official Cisco Windows client change anything? (openconnect --os=win --useragent 'Cisco AnyConnect VPN Agent for Windows 4.9.0195')?) It may be easier to follow up on the GitLab issue: https://gitlab.com/openconnect/openconnect/-/issues/489#note_1097313325 My best guess about the root cause here is that either it's a result of a server being misconfigured/confused due to a lack of testing with non-official clients, OR that it's an intentional obfuscation of the authentication forms with the intention of confusing non-official clients. Dan ps- Oddly, we also have a very similar issue with F5 VPNs (*completely different protocol*) that has popped up recently, wherein the form fields for 2FA codes get sent in a needlessly obfuscatory way: https://gitlab.com/openconnect/openconnect/-/issues/493#note_1097084348 _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
