On Fri, Aug 17, 2018 at 8:22 AM, <alessandro.narzisi at gmail.com> wrote: > Hi Dan and all, > > today i tryied to connect simulating os and client Windows, how you can > see, if i use --no-xmlpost the server said "AnyConnect is not enabled > on the VPN server", if i remove --no-xmlpost, the error remain the > same. Okay, that's not surprising? --no-xmlpost invokes a very old authentication method, and it only fixes things on a small fraction of Cisco servers. > In attach the log with and without --no-xmlpost. > > For group, i am sure that VPNAnyconnect is the right group. > > I see with my network team that in the vpn server log, the attempt to > access with openconnect use authentication method that is not MSCHAPv2. > > If i use VPN Anyconnect from android or windows the authentication > method is MSCHAPv2 and it is good. > > Can i force MSCHAPv2? No. MSCHAPv2 is an ancient and insecure authentication protocol (https://en.wikipedia.org/wiki/MS-CHAP), which is basically unnecessary and useless over modern TLS. OpenConnect doesn't actually support it. I am somewhat doubtful that it is actually the problem here; I am guessing your network admins are just picking out some message from the logs like "WARNING: not authenticating using MSCHAPv2", and claiming that is the problem here. I have an idea? I had a problem like this before, and it was from the Cisco client silently updating its own XML profile from the server, and changing the "usergroup", without any notification. Look around for an XML file containing "AnyConnectPreferences" on your Windows computer where the connection is working. It might be in "%USERPROFILE%\AppData\Local\Cisco" as Preferences.xml. It should look something like this: <?xml version="1.0" encoding="UTF-8"?> <AnyConnectPreferences> <DefaultUser>myusername</DefaultUser> <DefaultSecondUser></DefaultSecondUser> <ClientCertificateThumbprint>DEADBEEFDEADBEEFDEADBEEF1234567890ABCDEF</ClientCertificateThumbprint> <MultipleClientCertificateThumbprints></MultipleClientCertificateThumbprints> <ServerCertificateThumbprint></ServerCertificateThumbprint> <DefaultHostName>MyVPN</DefaultHostName> <DefaultHostAddress>x.x.x.150</DefaultHostAddress> <DefaultGroup>MyGroup</DefaultGroup> <ProxyHost></ProxyHost> <ProxyPort></ProxyPort> <SDITokenType>none</SDITokenType> <ControllablePreferences> <LocalLanAccess>true</LocalLanAccess> <BlockUntrustedServers>false</BlockUntrustedServers></ControllablePreferences> </AnyConnectPreferences> Is the "DefaultGroup" set? If so, try adding `--usergroup MyGroup` to the openconnect command line. If this works? I can sort of explain why. It's a weird crusty corner of how the Cisco client and server interact. -Dan
