On Thu, Jun 13, 2013 at 12:14 PM, Joel Johnson <mrjoel at lixil.net> wrote: > For the XML POST processing, it looks like it's not properly (fully?) > processing the --authgroup parameter to use the selected group (as long as > it's returned in the list as being available). Instead of blindly using the > tunnel-group and group-alias offered initially, it should use what is > specified. I'm not familiar with the details and differences between the > <group-select> and <tunnel-group>, but this looks quite suspicious. <tunnel-group> and <group-alias> are in the <opaque> section. I'm not sure it's such a good idea for the client to change anything in there. The Cisco client seems to leave it alone. What I see when I feed your server responses to the official AnyConnect client is that when the user selects e.g. GROUPC_VPN from the dropdown, the Cisco client sends a "change group" message to the server: <?xml version="1.0" encoding="UTF-8"?> <config-auth client="vpn" type="init"> <version who="vpn">3.1.00495</version> <device-id>linux</device-id> <group-select>GROUPC_VPN</group-select> </config-auth> Then it redraws the login dialog when it gets the response back. The new server response tells the client which group to show as selected. I couldn't deduce your server's hostname so I can't tell for sure, but my guess is that your server rewrites the <opaque> contents based on the newly selected group. It might also be configurable to send a completely different set of form fields for different group selections. So maybe the <group-select> option only tells the server "send me a new form with GROUPC_VPN selected," and if you submit your credentials immediately, it takes the group ID from the <opaque> section instead of the <group-select> value. Does this jibe with the behavior you saw (i.e. would you see "Login failed" if you tried to log on to GROUPA_VPN)? One thing that (lib)openconnect could do to work around this is to prompt the user for just the group first, then after he hits submit, prompt for the remaining form fields (skipping the group dropdown). Are you willing to be the guinea pig?
