On Wed, 2014-07-09 at 11:22 -0400, DeadManMoving wrote: > Hi list, > > Is it possible to use openconnect to connect to a cisco VPN which use > safenet token for authentication? > > I am trying openconnect version v5.99-175-g7a2b2e8 (with oath version > 2.4.1) with --token-mode=hotp option but, does'nt look like i have much > success. > > I can successfuly connect to the VPN using cisco anyconnect client on > windows, using the safenet token. > > I was unable to find some example over the internet on how to use > openconnect with software token, beside RSA software token with stoken. Let's start with TOTP, as it's easier. We don't yet support file storage for [HT]OTP tokens ? you have to provide the required information on the OpenConnect command line. If your token is stored in a standard PKSC file (as defined by RFC6030) then it's fairly simple to find the information you need; just use pkcstool. For the SafeNet token, you have to interpret their non-standard file format but at least LinOTP is capable of that so it shouldn't be impossible to work it out. For testing it's best to start by generating the PINs manually with oathtool, and entering them manually until you're sure you have the OTP part working. oathtool --totp 5a5a5a5a5a5a5a5a5a5a5a5a However, HOTP is more interesting because you have a *counter* rather than just a timestamp. And that counter needs to be updated in the file. So you can make openconnect work by passing --token-mode HOTP --token-secret $SECRET,$COUNTER But the question of how you remember that the counter should be increased is not yet solved. We really *do* want to have file storage support, but oath-toolkit doesn't give us anything we can sanely use. We'd need to define locking semantics for it too, and I *really* didn't want to do that in isolation just for OpenConnect. > Also, passing --token-mode option, without passing the --token-secret > option makes openconnect segfault, which seem odd. Oops. I've just fixed that in the git tree; thanks for pointing it out. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140709/93c064c5/attachment.bin>