cisco vpn Login failed with MFA
Reproduce: ubuntu 20 LTS with openconnect, network-manager-openconnect-gnome. I open terminal and input:
sudo openconnect xxx:xxx
here is console logs,
Please enter your username and password.
GROUP: [xxx]:xxx
Please enter your username and password.
Username:xxx
Password:
after I input passwd, something printed,
请输入二次密码: # I guess it wants me to input my MFA code but no waiting here
Login failed.
Please enter your username and password.
Username:
And I'm in a loop now and cann't login!
Use option --dump-http-traffic
, I got a message in middle:
Failed to write to SSL socket: The TLS connection was non-properly terminated.
the complete logs,
leo@home:~/softwares$ openconnect -vvv --dump ***:8443
POST https://***:8443/
Attempting to connect to server ***:8443
Connected to ***:8443
SSL negotiation with ***
Connected to HTTPS on ***
> POST / HTTP/1.1
> Host: ***:8443
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 212
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="init"><version who="vpn">v8.05-1</version><device-id>linux-64</device-id><group-access>https://***:8443</group-access></config-auth
>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close Date: Tue, 06 Sep 2022 21:39:00 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://***:8443/
Attempting to connect to server ***:8443
Connected to ***:8443
SSL negotiation with ***
Connected to HTTPS on ***
> GET / HTTP/1.1
> Host: ***:8443
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.0 302 Object Moved
Content-Type: text/html; charset=utf-8
Content-Length: 0
Cache-Control: no-store
Pragma: no-cache
Connection: Close
Date: Tue, 06 Sep 2022 21:39:00 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
Location: /+webvpn+/index.html
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
HTTP body length: (0)
GET https://***:8443/+webvpn+/index.html
SSL negotiation with ***
Connected to HTTPS on ***
> GET /+webvpn+/index.html HTTP/1.1
> Host: ***:8443
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
>
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
< Copyright (c) 2013, 2018-2019 by Cisco Systems, Inc.
< All rights reserved.
< -->
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
<
<
< <select name="group_list" label="GROUP:">
< <option value="msfinrta_ssl" noaaa="0" >MSFin-RTA</option><option value="***_ssl" noaaa="0" >***</option><option value="***_ssl2" noaaa="0" >***OB</option>
</select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
<
< </form>
< </auth>
<
Please enter your username and password.
GROUP: [MSFin-RTA|***|***OB]:***
Please enter your username and password.
Username:***
Password:
POST https://***:8443/+webvpn+/index.html
> POST /+webvpn+/index.html HTTP/1.1
> Host: ***:8443
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: webvpnlogin=1
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-Pad: 0
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 63
>
> group_list=***_ssl&username=***&password=***
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: tg=1bW9idGVjaF9zc2w=; expires=Wed, 07 Sep 2022 09:39:25 GMT; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
< Copyright (c) 2007-2008, 2012 by Cisco Systems, Inc.
< All rights reserved.
< -->
< <auth id="challenge">
< <title>SSL VPN Service</title>
<
< <message>请输入二次密码:</message>
<
< <form method="post" action="/+webvpn+/login/challenge.html">
<
<
< <input type="submit" name="Continue" value="Continue" />
< <input type="submit" name="Cancel" value="Cancel" />
<
< <input type="hidden" name="auth_handle" value="360" />
< <input type="hidden" name="status" value="2" />
< <input type="hidden" name="username" value="***" />
< <input type="hidden" name="serverType" value="0" />
< <input type="hidden" name="challenge_code" value="0" />
< </form>
< </auth>
<
<
请输入二次密码:
POST https://***:8443/+webvpn+/login/challenge.html
> POST /+webvpn+/login/challenge.html HTTP/1.1
> Host: ***:8443
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: webvpnlogin=1; tg=1bW9idGVjaF9zc2w=
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 72
>
> auth_handle=360&status=2&username=***&serverType=0&challenge_code=0
Got HTTP response: HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; frame-ancestors 'self'; base-uri 'self'; block-all-mixed-content
X-Frame-Options: SAMEORIGIN
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
Cache-Control: no-store
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
X-Transcend-Version: 1
HTTP body chunked (-2)
< <?xml version="1.0" encoding="UTF-8"?>
< <!--
< Copyright (c) 2013, 2018-2019 by Cisco Systems, Inc.
< All rights reserved.
< -->
< <auth id="main">
< <title>SSL VPN Service</title>
< <ca status="disabled" href="/+CSCOCA+/login.html" />
<
<
<
< <banner></banner>
< <message>Please enter your username and password.</message>
<
<
< <error id="15" param1="" param2="">Login failed.</error>
< <form method="post" action="/+webvpn+/index.html">
<
< <input type="text" name="username" label="Username:" />
< <input type="password" name="password" label="Password:" />
<
<
< <select name="group_list" label="GROUP:">
< <option value="msfinrta_ssl" noaaa="0" >MSFin-RTA</option><option value="***_ssl" noaaa="0" >***</option><option value="***_ssl2" noaaa="0" >***OB</option
</select>
<
< <input type="submit" name="Login" value="Login" />
< <input type="reset" name="Clear" value="Clear" />
<
<
< </form>
< </auth>
<
Login failed.
Please enter your username and password.
Username:
Edited by Akilis Zhang