On Fri, Apr 11, 2014 at 3:16 AM, Andrew Stubbs <andrew.stubbs at gmail.com> wrote: > Something changed on the server end last night, and this morning I cannot > authenticate because it does not prompt which authgroup I want to use. When > I try to login anyway I get a message that I don't have permission to do > that and I should use the authgroup. > > Basically it wants me to log in using an option that it hasn't presented to > me. > > I've tried with and without the --authgroup setting, but neither works. I > presume this is because no authgroups are prompted for. Is it possible to > insist on logging in that way? Your authgroup can be set a couple of ways: - Through the dropdown (which doesn't seem to be enabled here) - From a group-url, e.g. https://vpn.foobar.com/mygroup - From your client cert For the latter item, we did see some cases where the client cert would not be requested. You can try --no-http-keepalive as a quick workaround. If that doesn't help, try building the latest head of tree from git.infradead.org. If at all possible, leave XML POST enabled and use a CSD wrapper script. > The Windows Anyconnect client works fine, so I presume something is > possible. Does the official Linux Anyconnect client work? Which version? Do you see an authgroup dropdown in that client? If so, does it disappear when you don't present the client cert?