On 01/12/2014 08:22 AM, Kevin Cernekee wrote: >> However my assumption is that, that the problem is not the >> format being used, but the fact that newer AnyConnect versions use >> multiple TCP connections instead of one. One for the username and one >> for the password which is killing the state machine in >> src/worker-auth.c. > > I agree that this looks like a likely culprit for the problem you > reported. I played around with "openconnect --no-http-keepalive" and > also saw problems using ocserv with plain authentication. Indeed that was the issue and it seems it is now fixed by having ocserv use a compact authentication method (ask both username and password in one go) if the client does auth using the "Connection: Close" HTTP headers. That would work only if a single password is required from PAM, but I guess that's a reasonable trade-off. Now the client manages to establish a TCP connection but terminates immediately because "VPN establishment capability from a remote Desktop is disabled"... So I guess there is again something it doesn't like. I give up for now. regards, Nikos
