On Sat, Jan 11, 2014 at 10:52 PM, Thomas Glanzmann <thomas at glanzmann.de> wrote: >> > User-Agent: AnyConnect Windows 3.0.07059 > >> If ocserv requires XML POST submissions, I would suggest tweaking the >> ocserv XML output so that it more closely resembles the structure of >> the document shown above. However, requiring XML POST does break >> compatibility with AnyConnect <=v2.5. > > we can use the User-Agent header to distinguish, sending the legacy > challenge for the old clients and the XML for the newer anyconnect > clients. It should be possible to tell from the very first client transmission, as the new data format is distinctive. Also, I believe AnyConnnect <=2.5 is guaranteed not to send the X-Aggregate-Auth: or X-AnyConnect-Platform: headers. FWIW, the ASA uses the latter header to match up its installed AnyConnect *.img files to the client. If the server's copy of the web-deploy image for that platform (linux, linux-64, win, ...) is <=2.5, it will force legacy mode, even if the client software is >=3.0. Likewise, if the server does not recognize the X-AnyConnect-Platform: value because it has no installed web-deploy package for that client, it will also force legacy mode. But there is no reason to put all of that convoluted logic in ocserv... > However my assumption is that, that the problem is not the > format being used, but the fact that newer AnyConnect versions use > multiple TCP connections instead of one. One for the username and one > for the password which is killing the state machine in > src/worker-auth.c. I agree that this looks like a likely culprit for the problem you reported. I played around with "openconnect --no-http-keepalive" and also saw problems using ocserv with plain authentication.
