Hi Daniel, That makes sense. From what I recall looking at the profile .xml I believe it's using a usergroup or groupname. Also there's some certificate match pattern that it's using. Then I will have to export the certificates and try giving it another shot. I've been so busy haven't had a chance yet. However I will bump up this message thread when I do regarding success or failure. Thanks for your help. On Mon, Mar 26, 2018 at 9:16 PM, Daniel Lenski <dlenski at gmail.com> wrote: > On Mon, Mar 26, 2018 at 8:38 PM, Colin Williams > <colin.williams.seattle at gmail.com> wrote: >> >> Hi, >> >> I have a mac provided with AnyConnect configured to a vpn, but wish to >> try to connect using OpenConnect. Can anyone describe or point to a >> document which might allow me to infer the connection settings and >> resources such as keys so I can provide them for OpenConnect based on >> the working AnyConnect settings? I looked around at some xml files but >> couldn't figure out the connection settings and resources on my own. > > In my experience (5 or 10 different Cisco AnyConnect VPNs), the > following should cover all of the required connection information: > > VPN server (there may be more than one possibility in your "AnyConnect > Profile", but you only need one to get connected) > Username > Password and/or 2FA token source > Client certificate (not used with all VPNs) > > These should all be straightforward and obvious, with the exception of > the client certificate. In some cases, the client cert may be > accessible to you since you obtained it simply as a an ordinary file > which you can copy to a system running openconnect. > > But in other cases, the client certificate will be stored in: > > (a) An operating system facility that restricts your ability to export > the certificate. Under Windows, the mimikatz tool > (https://github.com/gentilkiwi/mimikatz) can be used to export > certificates which were marked "unexportable" when imported. > (b) Vendor-specific software that stores the certificate, such as Symantec PKI. > (b) A hardware credential storage container like a TPM > (https://en.wikipedia.org/wiki/Trusted_Platform_Module). > > Does that clarify things? > > Dan
