Bug 2376504

Summary: HTTP CONNECT response: HTTP/1.1 401 Unauthorized - Cisco AnyConnect external authentication (SAML)
Product: [Fedora] Fedora Reporter: romsu <r.sukhokobyla>
Component: openconnectAssignee: Nikos Mavrogiannopoulos <n.mavrogiannopoulos>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 42CC: dwmw2, mo, mordae, negativo17, n.mavrogiannopoulos, tdawson
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
manually patched git commit 94e0b16c011b7b88708b8a8505fac6bfbe2e3cca none

Description romsu 2025-07-05 07:43:18 UTC 
Description of problem: got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized - Cisco AnyConnect external authentication (SAML) when connecting to /CSCOSSLC/tunnel


Version-Release number of selected component (if applicable): 9.12-7


How reproducible: Add and activate a new VPN connection (Cisco AnyConnect) in NetworkManager


Steps to Reproduce:
1. Add a connection name
2. Add the gateway address
3. Add the agent name (AnyConnect)
4. Leave everything else unchanged
5. Complete SAML authentication

Actual results: HTTP/1.1 401 Unauthorized 


Expected results: successful authorization


Additional info: This issue has already been fixed in newer OpenConnect versions, which is why an update is needed.
Comment 1 Moritz Baumann 2025-11-17 12:01:54 UTC 
Created attachment 2114777 [details]
manually patched git commit 94e0b16c011b7b88708b8a8505fac6bfbe2e3cca

pulled source rpm and applied this commit to it

https://gitlab.com/openconnect/openconnect/-/commit/94e0b16c011b7b88708b8a8505fac6bfbe2e3cca

We need this ( --no-external-auth) to connect against my universities cisco-annyconnect, and --no-external-auth is not exposed via NetworkManager-openconnect-gui
Comment 2 Moritz Baumann 2025-11-17 12:06:04 UTC 
ok description is unclear.

The attached file is the openconnect source rpm of F43 with the git commit patch applied.

I just realized that this was filed against F42. My srpm if for F43
Comment 3 Jan Hamal Dvořák 2026-03-20 13:57:03 UTC 
Hi. I am confirming the existence of the issue and this being fixed upstream.

Except in my case (SMS 2FA) back-porting just the above patch did not suffice. I had to bump to the latest master.
Comment 4 romsu 2026-03-20 14:46:03 UTC 
Well, this issue still affects openconnect-9.12-9 provided in the Fedora 43 repositories.
Comment 5 Fedora Release Engineering 2026-05-06 13:27:44 UTC 
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 42 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 6 Jan Hamal Dvořák 2026-05-28 08:19:38 UTC 
Confirmed in Fedora 44.