I am trying to connect to a VPN that uses a two-part authentication, with username and two passwords. I am able to authenticate using Cisco AnyConnect VPN client on Windows 7. I have been using OpenConnect v5.02-1 package with Network Manager OpenConnect 0.9.8.0 package under Ubuntu 14.04 64-bit to connect to a different VPN that needs only username/password. However, the Ubuntu package does not have libstoken support. Then I built OpenConnect 6.00 and NetworkManager-OpenConnect 0.9.10 from source, removed the packages, and ran "sudo make install" for both of these. I gave up on NetworkManager-OpenConnect 0.9.10 because the GUI under Network Connections -> VPN was unavailable. So I went back to 0.9.8 package which restored the GUI, and mainly tried to use openconnect from the command line instead for testing. With either version of OpenConnect or Network Manager, the GUI under Network Connections -> VPN does not show any option for RSA SecureID or tokens. I am not terribly familiar with how the two-part authentication works or how this is implemented in OpenConnect. So I may simply be unclear on the concept, and not using the appropriate command line options and values. The way the authentication works in AnyConnect is that I am prompted for a username and two passwords. The first password consists of a PIN (let's say 9999) plus a 6-digit token generated by stoken or RSA SecureID software on Windows. Let's say 123456. So the first password is like 9999123456. The 2nd password I think is just the Active Directory / LDAP password for the username. I used the token generated from stoken to connect successfully using AnyConnect in Windows. But I am not sure how to use these two passwords in OpenConnect, or whether this scenario is supported. If I try to use --token-mode=totp or --token-mode=hotp, login fails whether I enter the AD/LDAP password or the PIN + stoken output. I am never prompted to enter a 2nd password. These modes don't seem to apply to my situation. Using --token-mode=rsa, example below (output sanitized). For testing, I had the PIN stored in .stokenrc and removed it again. No real difference. Using --no-xmlpost or not doesn't make a difference either. If I try to enter the username/password as in the example below, it fails again with "Server is rejecting the soft token; switching to manual entry". I should emphasize again that the first password needs to consist of the PIN + generated token. The PIN is not the same as the password that unlocks the software token. I am never prompted for the PIN by openconnect, and I do not see a way to pass it. It doesn't seem to make a difference whether I use "stoken" or "stoken --pin=9999". I am not sure whether the only password that openconnect prompts for is supposed to be the PIN+token or the AD/LDAP password. Neither one results in a prompt for a 2nd password. Here is an example of what happens. Let me know if you require any more details. $ openconnect --no-cert-check --authenticate --token-mode=rsa --no-xmlpost --user=username https://vpn.company.com/ Enter credentials to unlock software token. Password: GET https://vpn.company.com/ Attempting to connect to server 99.99.99.9:443 SSL negotiation with vpn.company.com Connected to HTTPS on vpn.company.com Got HTTP response: HTTP/1.0 302 Temporary moved GET https://vpn1-1.company.com/ Attempting to connect to server 99.99.99.7:443 SSL negotiation with vpn1-1.company.com Connected to HTTPS on vpn1-1.company.com Got HTTP response: HTTP/1.0 302 Object Moved GET https://vpn1-1.company.com/+webvpn+/index.html SSL negotiation with vpn1-1.company.com Connected to HTTPS on vpn1-1.company.com Please enter your username and password. Generating RSA token code POST https://vpn1-1.company.com/+webvpn+/index.html Server is rejecting the soft token; switching to manual entry Login failed. Please enter your username and password. Username: --Mark Kolmar
