I've been using Openconnect for a year or two now, and it has worked well. There have been a few hiccoughs, now and then, when something changed in the interface (--no-xmlpost and the like), and it seems I've hit another one of those .... Something changed on the server end last night, and this morning I cannot authenticate because it does not prompt which authgroup I want to use. When I try to login anyway I get a message that I don't have permission to do that and I should use the authgroup. Basically it wants me to log in using an option that it hasn't presented to me. I've tried with and without the --authgroup setting, but neither works. I presume this is because no authgroups are prompted for. Is it possible to insist on logging in that way? The Windows Anyconnect client works fine, so I presume something is possible. In case it helps, the output, with --verbose, looks like this: GET https://<redacted>.com/ Attempting to connect to server 12.202.168.11:443 Using certificate file /home/ams/.cisco/SecureAuth-cert.pfx Enter PKCS#12 pass phrase: Using client certificate 'astubbs@<redacted>.com' Adding supporting CA 'MFCIssuer3Sierra.banner.multifactortrust3.com' SSL negotiation with <redacted>.com Connected to HTTPS on <redacted>.com Got HTTP response: HTTP/1.0 302 Object Moved Content-Type: text/html; charset=utf-8 Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 11 Apr 2014 08:32:29 GMT Location: /+webvpn+/index.html Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure HTTP body length: (0) GET https://<redacted>.com/+webvpn+/index.html SSL negotiation with <redacted>.com Connected to HTTPS on <redacted>.com Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) GET https://<redacted>.com/CACHE/sdesktop/install/binaries/sfinst Got HTTP response: HTTP/1.1 200 OK Content-Length: 916 Cache-Control: max-age=0 X-Transcend-Version: 1 HTTP body length: (916) GET https://<redacted>.com/+CSCOE+/sdesktop/wait.html Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 11 Apr 2014 08:32:30 GMT HTTP body chunked (-2) Refreshing +CSCOE+/sdesktop/wait.html after 1 second... GET https://<redacted>.com/+CSCOE+/sdesktop/wait.html SSL negotiation with <redacted>.com Connected to HTTPS on <redacted>.com Got HTTP response: HTTP/1.1 302 Moved Temporarily Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 11 Apr 2014 08:32:32 GMT Location: /+webvpn+/index.html Set-Cookie: sdesktop=19327DBF37D897DE7BC25B19; path=/; secure HTTP body chunked (-2) GET https://<redacted>.com/+webvpn+/index.html SSL negotiation with <redacted>.com Connected to HTTPS on <redacted>.com Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Please enter your username and password. Username:astubbs Password: POST https://<redacted>.com/+webvpn+/index.html Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Transcend-Version: 1 HTTP body chunked (-2) Login denied. You have insufficient privileges. Please try again using '<my-usual-authgroup>' instead of 'login'. A=?? Please enter your username and password. Username:^C I've substituted the identifying details that might get me in trouble, but hopefully you get the idea. I very much doubt that IT will have any interest in fixing it as long as the official client works, so any adjustments will have to be on the client side. Any suggestions? Thanks in advance Andrew
