On Sun, Aug 20, 2017 at 10:29 AM, Andy Wang <dopey at moonteeth.com> wrote:
> I've been trying to figure out why openconnect's --token-mode support
> isn't working with my works VPN and I finalliy dug through the source
> and html forms enough to understand I think. (my C is extremely rusty
> as it's been well over 10 years since i've actively coded in it) It
> looks like from the function:
> static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo,
> struct oc_auth_form *form,
> struct oc_form_opt *opt)
> {
> if (vpninfo->token_mode == OC_TOKEN_MODE_NONE ||
> vpninfo->token_bypassed)
> return -EINVAL;
>
> if (strcmp(form->auth_id, "frmDefender") &&
> strcmp(form->auth_id, "frmNextToken") &&
> strcmp(form->auth_id, "ftmTotpToken"))
> return -EINVAL;
>
> return can_gen_tokencode(vpninfo, form, opt);
> }
>
> That a token is only used if the form name is frmDefender.
> frmNextToken or frmTotpToken. Our first login form that expects
> username/rsa token is frmLogin.
I worked on the original stoken integration, but have only ever used
it with Cisco VPNs. It looks like the Juniper logic was updated in
this commit:
commit 1ff34cb9689fbaf57decac537df1e32e799bb9c7
Author: Janne Juntunen <janne.juntunen at hermanit.fi>
Date: Tue Nov 29 22:37:22 2016 +0000
Add support for Google Authenticator 2fa on Juniper VPN
We resently changed our Juniper VPN from SMS 2fa to use Google
Authenticator instead. Before it worked perfectly with "openconnect
--juniper" switch, but after the change all we got was:
Unknown form ID 'frmTotpToken'
and a dump of the form.
I spent some time debugging the issue, and managed to write a very
simple fix for it.
Signed-off-by: Janne Juntunen <janne.juntunen at hermanit.fi>
Signed-off-by: David Woodhouse <dwmw2 at infradead.org>
Maybe the Google Authenticator form (OC_TOKEN_MODE_TOTP) needs to be
handled differently from the RSA SecurID form (OC_TOKEN_MODE_STOKEN).
