Our VPN now uses 2FA and calls a web page for SSO; this has broken support for openconnect and networkmanager without some fucking about, so I'm having to use the Cisco proprietary client which doesn't support Aarch64 linux and is also tied to some very specific debian supplied libs. Sigh.