On Sun, Aug 20, 2017 at 10:29 AM, Andy Wang <dopey at moonteeth.com> wrote: > I've been trying to figure out why openconnect's --token-mode support > isn't working with my works VPN and I finalliy dug through the source > and html forms enough to understand I think. (my C is extremely rusty > as it's been well over 10 years since i've actively coded in it) It > looks like from the function: > static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo, > struct oc_auth_form *form, > struct oc_form_opt *opt) > { > if (vpninfo->token_mode == OC_TOKEN_MODE_NONE || > vpninfo->token_bypassed) > return -EINVAL; > > if (strcmp(form->auth_id, "frmDefender") && > strcmp(form->auth_id, "frmNextToken") && > strcmp(form->auth_id, "ftmTotpToken")) > return -EINVAL; > > return can_gen_tokencode(vpninfo, form, opt); > } > > That a token is only used if the form name is frmDefender. > frmNextToken or frmTotpToken. Our first login form that expects > username/rsa token is frmLogin. I worked on the original stoken integration, but have only ever used it with Cisco VPNs. It looks like the Juniper logic was updated in this commit: commit 1ff34cb9689fbaf57decac537df1e32e799bb9c7 Author: Janne Juntunen <janne.juntunen at hermanit.fi> Date: Tue Nov 29 22:37:22 2016 +0000 Add support for Google Authenticator 2fa on Juniper VPN We resently changed our Juniper VPN from SMS 2fa to use Google Authenticator instead. Before it worked perfectly with "openconnect --juniper" switch, but after the change all we got was: Unknown form ID 'frmTotpToken' and a dump of the form. I spent some time debugging the issue, and managed to write a very simple fix for it. Signed-off-by: Janne Juntunen <janne.juntunen at hermanit.fi> Signed-off-by: David Woodhouse <dwmw2 at infradead.org> Maybe the Google Authenticator form (OC_TOKEN_MODE_TOTP) needs to be handled differently from the RSA SecurID form (OC_TOKEN_MODE_STOKEN).