Hello Openconnect folks, Before addressing the actual intent of this message, first I'd like you all to know how much I appreciate the effort put forth to maintain Openconnect. An open-source tool for a not so open Cisco protocol, that also manages to surpass the quality of their native client, is nothing short of impressive! So many thanks! My employer uses on-prem AD with O365, but has also implemented Okta SSO as the sync point between the two. Additionally, Okta offers multi-factor authentication which is required for VPN logins primarily. Because of this, I decided to look into automating that process since I already use Openconnect over Anyconnect anyway. But in addition to TOTP, one can also configure the service to provide one time passwords via text message or actual phone call. If multiple options are enabled and configured, there is an additional prompt between the LDAP credentials and the OTP that asks for a selection of the preferred OTP option to use.* Searching for an answer, I found myself on the Openconnect One Time Password Support page. Here is explains that and OAUTH token type code will be fed to the second prompt, followed by this sentence: "This behaviour is empirically determined by the requirements of the servers that we have tested with; if you find a configuration in which it is not appropriate, please let us know." So in an effort to provide you all with an additional data point, and the possibility of helping others in asking about my own problem, I'm reporting this scenario as you've requested. Thanks again for making such a great alternative to AnyConnect. If there is anything else I can provide to anyone interested in addressing this, I am more than happy to do so. * I'm not sure if the prompt will be removed if only one option is enabled. I haven't gotten that far just yet. -- Curtis Shimamoto
