Arch Linux

z9s8efkjnsf

Member

Registered: 2024-02-06

Posts: 13

OpenConnect fails to connect after successful WebAuth SSO [solved]

I'm trying to connect to my organization's Cisco AnyConnect VPN server from Arch Linux with NetworkManager 1.52.0-1 and OpenConnect 1:9.12-4, but it doesn't work and my organization won't provide Linux support.

When I run

$ nmcli connection up [VPN connection profile]

a "Connect to VPN" window pops up with a message to "Please complete the authentication process in the AnyConnect Login window." When I click "Login", I'm shown my organization's WebAuth SSO interface, where I can authenticate with apparent success, eventually showing a Cisco Secure Client screen that says "You have successfully authenticated. You may now close this browser." However, I see that for only a moment before the entire window suddenly disappears, then back in the terminal I see:

Error: Connection activation failed: Unknown reason
Hint: use 'journalctl -xe NM_CONNECTION=[long hex string] + NM_DEVICE=wlan0' to get more details.

When I follow the hint, I see three lines from that login attempt (date, time, hostname, profile ID removed):

... <info> ...: starting openconnect
... <warn> ...: dbus: failure: login-failed (0)
... <warn> ...: dbus: failure: connect-failed (1)

These messages don't give much information and I don't know where to look for more. What's the next step to troubleshoot this?

Last edited by z9s8efkjnsf (Today 07:25:03)

-thc

Member

Registered: 2017-03-15

Posts: 919

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

I remember a similar construct (powershell and login/2nd factor via browser window) being picky about my default web browser. You may try a clean profile of another browser temporarily set as the default.

In the end you may need the Cisco AnyConnect 5.1 client for Linux which is not free.

z9s8efkjnsf

Member

Registered: 2024-02-06

Posts: 13

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

Thanks for your reply. Is there a way to control which browser is used for WebAuth? I don't know what it is currently, just whatever pops up inside the "Connect to VPN" window. The wiki doesn't explain much about the browser either.

-thc

Member

Registered: 2017-03-15

Posts: 919

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

The browser you have set as "default".

z9s8efkjnsf

Member

Registered: 2024-02-06

Posts: 13

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

OK, I'm in GNOME so I went into the "Default Apps" settings and changed the default web browser from Firefox to Chromium, which is clean with no cookies or extensions. There was no difference in the appearance of the authentication window and it failed in the same way. Any other ideas?

Is there somewhere I can look for more detailed VPN logs to see what's failing?

-thc

Member

Registered: 2017-03-15

Posts: 919

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

You can try to connect via plain openconnect.

If you do this you have "-v" for more output and even "--dump-http-traffic" at hand.

If you want to know how NetworkManager assembles the command line you can check the output of "ps" when you are connecting via NM.

z9s8efkjnsf

Member

Registered: 2024-02-06

Posts: 13

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

Thanks but I can't figure out how to do this with WebAuth. The wiki only gives instructions for how to do it with `networkmanager-openconnect` as I already tried. So I'm trying `openconnect --cookie-on-stdin` but I can't find a cookie that works. My organization's main web login doesn't provide any `webvpn` cookie and the ones whose names involve `sso` aren't accepted ("Cookie was rejected by server; exiting"). If I try going directly to the VPN server address in a web browser, I can get through the authentication, but then I land on a blank page with cookies for `webvpnLang` and `webvpnlogin` (only 2 and 1 characters respectively) but no `webvpn` cookie.

Is there a way to launch the WebAuth browser interface from plain `openconnect`? Or another way to manually extract the cookie from a separate browser session?

-thc

Member

Registered: 2017-03-15

Posts: 919

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

I hope the option "--external-browser browser" would work like that.

z9s8efkjnsf

Member

Registered: 2024-02-06

Posts: 13

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

Yes, that would be nice, but unfortunately the output of `openconnect --external-browser firefox` is the same as plain `openconnect`:

$ openconnect --external-browser firefox [server address]
POST https://[server address]
Connected to [IP address]:443
SSL negotiation with [server address]
Connected to HTTPS on [server address] with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
Got HTTP response: HTTP/1.0 302 Temporary moved
POST https://[load-balancing server address]
Connected to [IP address]:443
SSL negotiation with [load-balancing server address]
Connected to HTTPS on [load-balancing server address] with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
XML POST enabled
Please complete the authentication process in the AnyConnect Login window.
No SSO handler
Failed to complete authentication

-thc

Member

Registered: 2017-03-15

Posts: 919

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

This seems to be an issue in openconnect - it currently doesn't support SAMLv2 (Azure AD) authentication.

You can try a wrapper script form AUR: https://aur.archlinux.org/packages/openconnect-sso

z9s8efkjnsf

Member

Registered: 2024-02-06

Posts: 13

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

openconnect-sso worked on the first try, even though NetworkManager doesn't. That's sufficient for me so this problem is solved. Thank you for all your help!

-thc

Member

Registered: 2017-03-15

Posts: 919

Re: OpenConnect fails to connect after successful WebAuth SSO [solved]

Nice. Please edit your thread title to mark it "[solved]".