On Thu, May 25, 2023 at 12:43 PM David Raison <da...@tentwentyfour.lu> wrote: > 1. In the http communication with the endpoint, when it comes to the > point where the web UI or the anyconnect client prompt for the token, > there is simply no field included in the XML response sent by the > server, only the <message> element: > > < <?xml version="1.0" encoding="UTF-8"?> > < <!-- > < Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc. > < All rights reserved. > < --> > < <auth id="challenge"> > < <title>SSL VPN Service</title> > < > < <message>Enter your TOKEN password</message> > < > < <form method="post" action="/+webvpn+/login/challenge.html"> > < > < > < <input type="submit" name="Continue" value="Continue" /> > < <input type="submit" name="Cancel" value="Cancel" /> > < > < <input type="hidden" name="auth_handle" value="2032" /> > < <input type="hidden" name="status" value="2" /> > < <input type="hidden" name="username" value="******" /> > < <input type="hidden" name="serverType" value="0" /> > < <input type="hidden" name="challenge_code" value="0" /> > < </form> > < </auth>
Your log shows that you're getting non-XMLPOST responses from the server. This is an olllllllllllllllld authentication mode of Cisco servers, which is vestigial and broken on most VPNs, because the admins don't know about it, and don't test against it. Quite likely, you've run into issue #544 (~= "newer Cisco servers require `--useragent=AnyConnect`, otherwise they get stuck in the usually non-functional non-XMLPOST auth path"). See more details in https://gitlab.com/openconnect/openconnect/-/issues/544#note_1222936179, and let us know if adding `--useragent=AnyConnect` addresses the problem. This is a pretty maddening issue. It's almost as if Cisco intentionally changed their servers’ responses to make authentication fail in a particularly misleading way for users of *OpenConnect*… based on the fact that we default to sending an accurate User-Agent header correctly describing the client as a non-Cisco one. _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
