On 03/06/18 23:00, Daniel Lenski wrote: > Pretty sure I see the problem? > > On Sun, Jun 3, 2018 at 1:30 PM, Stephen Davies <sdavies at sdc.com.au> wrote: >> Here is the debug output:[root at se5 ~]# openconnect -vvvv --config=/etc/openconnect.conf --useragent="Cisco AnyConnect VPN Agent for Windows 4.2.01035" remotehost >> POST https://remotehost/vendor > The "/vendor" value here must be the *same value* as the placeholder > you called 'ggggg' in the config file. > >> Attempting to connect to server 1.2.3.4:443 >> SSL negotiation with remotehost >> Connected to HTTPS on remotehost >> Got HTTP response: HTTP/1.1 404 Not Found >> Cache-Control: no-cache >> Pragma: no-cache >> Connection: Close >> Date: Sun, 03 Jun 2018 10:22:24 GMT >> X-Frame-Options: SAMEORIGIN >> HTTP body http 1.0 (-1) >> SSL socket closed uncleanly >> Unexpected 404 result from server >> GET https://remotehost/vendor >> Attempting to connect to server 1.2.3.4:443 >> SSL negotiation with remotehost >> Connected to HTTPS on remotehost >> Got HTTP response: HTTP/1.0 302 Temporary moved >> Set-Cookie: tg=string; path=/; secure >> Content-Length: 0 >> Cache-Control: no-cache >> Pragma: no-cache >> Connection: Close >> Date: Sun, 03 Jun 2018 10:22:24 GMT >> X-Frame-Options: SAMEORIGIN >> Location: /+webvpn+/index.html >> HTTP body length: (0) >> GET https://remotehost/+webvpn+/index.html >> SSL negotiation with remotehost >> Connected to HTTPS on remotehost >> Got HTTP response: HTTP/1.1 301 Moved Permanently >> X-Transcend-Version: 1 >> Location: https://remotehost/+CSCOU+/anyconnect_unsupported_version.html >> Content-Type: text/html >> Content-Length: 0 >> HTTP body length: (0) >> GET https://remotehost/+CSCOU+/anyconnect_unsupported_version.html >> Got HTTP response: HTTP/1.1 200 OK >> Content-Type: text/xml >> Transfer-Encoding: chunked >> Cache-Control: no-cache >> Pragma: no-cache >> Connection: Keep-Alive >> Date: Sun, 03 Jun 2018 10:22:24 GMT >> X-Frame-Options: SAMEORIGIN >> HTTP body chunked (-2) >> Please upgrade your AnyConnect Client >> Failed to obtain WebVPN cookie >> >> Here is the config file: >> >> [root at se5 ~]# cat /etc/openconnect.conf >> usergroup=gggg >> user=xxxx >> interface=tun0 > You are using the "usergroup" setting. Remove it. > > Usergroup doesn't do what you expect: it changes the URL that the > client submits a POST to? which leads to a 404 error? which leads to > the client retrying with GET? which is effectively the behavior of > very old clients? which leads to a redirect to a page for old clients. > I think that probably you used to have an old Cisco server which > actually used the URL-as-usergroup mechanism, and it got replaced with > a newer one. > > Assuming it works without --usergroup, and you get a prompt asking you > which realm/group to join? the option that you want to use to set this > automatically is --authgroup, NOT --usergroup. > > GROUP: [Employees|Contractors|Pandas|Leprechauns]: Leprechauns > Please enter your username and password. > Username: johnsmith > Password: ******** > > => openconnect --authgroup=Leprechauns --user=johnsmith > > If I'm right about this? the manual for the --usergroup option should > be clarified to tell people that they probably want the --authgroup > option. :-D > > Dan > Sorry, still no joy. The actual value in the config file was vendor. Here is the AnyConnect client XML file ? they provide for windows users with just the host names changed. Is there anything in here that I should be using? <?xml version="1.0" encoding="UTF-8"?> <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> ??????? <ClientInitialization> ??????????????? <UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon> ??????????????? <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>All</CertificateStore> <CertificateStoreOverride>false</CertificateStoreOverride> ??????????????? <ProxySettings>Native</ProxySettings> <AllowLocalProxyConnections>false</AllowLocalProxyConnections> <AuthenticationTimeout>12</AuthenticationTimeout> ??????????????? <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart> ??????????????? <MinimizeOnConnect UserControllable="false">true</MinimizeOnConnect> ??????????????? <LocalLanAccess UserControllable="false">false</LocalLanAccess> ??????????????? <ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin> <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport> ??????????????? <AutoReconnect UserControllable="false">true ??????????????????????? <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior> ??????????????? </AutoReconnect> ??????????????? <AutoUpdate UserControllable="false">true</AutoUpdate> ??????????????? <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration> <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement> <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment> <AutomaticVPNPolicy>false</AutomaticVPNPolicy> ??????????????? <PPPExclusion UserControllable="false">Automatic ??????????????????????? <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP> ??????????????? </PPPExclusion> ??????????????? <EnableScripting UserControllable="false">false</EnableScripting> ??????????????? <EnableAutomaticServerSelection UserControllable="false">false <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement> <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime> ??????????????? </EnableAutomaticServerSelection> ??????????????? <RetainVpnOnLogoff>false ??????????????? </RetainVpnOnLogoff> ??????? </ClientInitialization> ??????? <ServerList> ??????????????? <HostEntry> ??????????????????????? <HostName>Vendor VPN</HostName> <HostAddress>remotehost</HostAddress> ??????????????????????? <UserGroup>vendor</UserGroup> ??????????????????????? <BackupServerList> <HostAddress>backuphost</HostAddress> ??????????????????????? </BackupServerList> ??????????????? </HostEntry> ??????? </ServerList> </AnyConnectProfile>
