Hi Daniel,
tl;dr: Thanks, setting the user agent to AnyConnect made it work. On 25/05/2023 23:53, Daniel Lenski wrote:
Your log shows that you're getting non-XMLPOST responses from the server. This is an olllllllllllllllld authentication mode of Cisco servers, which is vestigial and broken on most VPNs, because the admins don't know about it, and don't test against it.
I checked, just to make sure, that that wasn't my fault. The snippet I pasted was actually from a request where I had explicitly used the --no-xmlpost flag because I had read about it in another thread and wanted to consider every possibility.
But I just ran it again without that flag, and the result (response) is exactly the same.
Quite likely, you've run into issue #544 (~= "newer Cisco servers require `--useragent=AnyConnect`, otherwise they get stuck in the usually non-functional non-XMLPOST auth path"). See more details in https://gitlab.com/openconnect/openconnect/-/issues/544#note_1222936179, and let us know if adding `--useragent=AnyConnect` addresses the problem.
Yes, that seems to have been exactly it. Setting the useragent to AnyConnect makes it work again. The response I get now is a completely different one and I can also see that openconnect is no longer making requests using query parameters but posting XML bodies instead.
This is a pretty maddening issue. It's almost as if Cisco intentionally changed their servers’ responses to make authentication fail in a particularly misleading way for users of*OpenConnect*… based on the fact that we default to sending an accurate User-Agent header correctly describing the client as a non-Cisco one.
I don't doubt that for a second ;) Thanks, David _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
