Hi David, Thank you so much for your reply, greatly appreciated. I am not using some sort of usb device as a token, i am using a software base token (http://www2.safenet-inc.com/sas/software-tokens.html). Under windows, when using cisco anyconnect and the above software from safenet, when i connect to the VPN, anyconnect is prompting me for my username and the passcode (PIN+token) so, i generate a token with the safenet software then i enter my PIN+token given to me by the software. Is it something possible with openconnect? Thanks again, Tony On Wed, 2014-07-09 at 17:46 +0100, David Woodhouse wrote: > On Wed, 2014-07-09 at 11:22 -0400, DeadManMoving wrote: > > Hi list, > > > > Is it possible to use openconnect to connect to a cisco VPN which use > > safenet token for authentication? > > > > I am trying openconnect version v5.99-175-g7a2b2e8 (with oath version > > 2.4.1) with --token-mode=hotp option but, does'nt look like i have much > > success. > > > > I can successfuly connect to the VPN using cisco anyconnect client on > > windows, using the safenet token. > > > > I was unable to find some example over the internet on how to use > > openconnect with software token, beside RSA software token with stoken. > > Let's start with TOTP, as it's easier. > > We don't yet support file storage for [HT]OTP tokens ? you have to > provide the required information on the OpenConnect command line. > > If your token is stored in a standard PKSC file (as defined by RFC6030) > then it's fairly simple to find the information you need; just use > pkcstool. For the SafeNet token, you have to interpret their > non-standard file format but at least LinOTP is capable of that so it > shouldn't be impossible to work it out. > > For testing it's best to start by generating the PINs manually with > oathtool, and entering them manually until you're sure you have the OTP > part working. > > oathtool --totp 5a5a5a5a5a5a5a5a5a5a5a5a > > > However, HOTP is more interesting because you have a *counter* rather > than just a timestamp. And that counter needs to be updated in the file. > > So you can make openconnect work by passing > --token-mode HOTP --token-secret $SECRET,$COUNTER > > But the question of how you remember that the counter should be > increased is not yet solved. > > We really *do* want to have file storage support, but oath-toolkit > doesn't give us anything we can sanely use. We'd need to define locking > semantics for it too, and I *really* didn't want to do that in isolation > just for OpenConnect. > > > Also, passing --token-mode option, without passing the --token-secret > > option makes openconnect segfault, which seem odd. > > Oops. I've just fixed that in the git tree; thanks for pointing it out. >
