On Tue, Sep 13, 2022 at 3:43 AM Ian Braithwaite <i...@tagvision.dk> wrote: > > On 12/09/2022 19:18, Daniel Lenski wrote: > > On Mon, Sep 12, 2022 at 6:42 AM Ian Braithwaite <i...@tagvision.dk> wrote: > >> 1. Ian, does your server also fall back to the non-XML-based > >> authentication, like Henry Luis's report and like > >> https://gitlab.com/openconnect/openconnect/-/issues/489? > > Yes it does (redirect, GET /+webvpn+/index.html). > > >> 2. Does spoofing an official Cisco Windows client change anything? > >> (openconnect --os=win --useragent 'Cisco AnyConnect VPN Agent for > >> Windows 4.9.0195')?) > > Very much - OpenConnect successfully connects, without the redirect.
Excellent. Quick follow-up: does it require *both* of those arguments to connect successfully? Or is simply `--os=win` sufficient? > The server response is completely different - the hidden fields are gone > and it has a normal password field that OpenConnect handles just fine: Yay, Cisco. 🤦🏻♂️🤦🏻♂️🤦🏻♂️ > >> My best guess about the root cause here is that either it's a result > >> of a server being misconfigured/confused due to a lack of testing with > >> non-official clients, OR that it's an intentional obfuscation of the > >> authentication forms with the intention of confusing non-official > >> clients. > > Or even both :-). Agreed. "Never attribute to malice that which is adequately explained by incompetence"… but in this case there may indeed be a bit of both. Thank you, this was a great job digging into the mailing list for related past issues, and clears up some mysteries. Perhaps we should update our Cisco-specific docs at https://www.infradead.org/openconnect/anyconnect.html (source is at https://gitlab.com/openconnect/openconnect/blob/master/www/anyconnect.xml) to emphasize the need to spoof official Cisco clients to workaround authentication issues in some cases. Merge requests would be welcome :-) Dan _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
