Hello, My office requires us to connect to a VPN (Cisco ASA) in order to access internal systems and Web pages from home. I use a Chromebook, and my office has, until recently, supplied me with a RSA SecurID token that generates a set of random digits that I can use to authenticate. Now, however, they want us to authenticate using PKCS#11 certificates on our SmartCard (CAC). This is not currently possible with the ChromeOS version of Cisco AnyConnect, so I put my Chromebook into dev mode and set up an Ubuntu chroot to try and connect to the VPN with Linux openconnect. I got all of the middleware working so that Ubuntu recognizes the CAC and p11tools lists the token and certificate URLs, but when I attempt to connect to the VPN using openconnect, I get a "Certificate Validation Failure" error, and it fails to make the connection. The output from sudo openconnect -V is: OpenConnect version v7.06 Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, System keys, DTLS The output from lsb_release -a is: No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.5 LTS Release: 16.04 Codename: xenial The following is the verbose output from my connection attempt with personal information in the certs removed (see below for further comments): ~$ sudo openconnect -v -u adam.allgood -c 'pkcs11:model=CAC%20Token;manufacturer=U.S.%20Government;serial=;token=<LASTNAME>.<FIRSTNAME>.<MIDDLENAME>.<CAC-ID>%00%20%00;id=%00%02;object=Identity%20%231;type=cert' cpvpn.ncep.noaa.gov/cac/ POST https://cpvpn.ncep.noaa.gov/cac/ Attempting to connect to server 140.90.73.186:443 Using PKCS#11 certificate pkcs11:model=CAC%20Token;manufacturer=U.S.%20Government;serial=;token=<LASTNAME>.<FIRSTNAME>.<MIDDLENAME>.<CAC-ID>%00%20%00;id=%00%02;object=Identity%20%231;type=cert PIN required for <LASTNAME>.<FIRSTNAME>.<MIDDLENAME>.<CAC-ID> Enter PIN: Using PKCS#11 key pkcs11:model=CAC%20Token;manufacturer=U.S.%20Government;serial=;token=<LASTNAME>.<FIRSTNAME>.<MIDDLENAME>.<CAC-ID>%00%20%00;id=%00%02;object=Identity%20%231;type=private Using client certificate '<LASTNAME>.<FIRSTNAME>.<MIDDLENAME>.<CAC-ID>' Got no issuer from PKCS#11 SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=0Anyconnect-CAC; path=/; secure Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 02 Nov 2018 16:14:24 GMT X-Frame-Options: SAMEORIGIN Location: /+webvpn+/index.html HTTP body length: (0) GET https://cpvpn.ncep.noaa.gov/cac/ Attempting to connect to server 140.90.73.186:443 SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov Got HTTP response: HTTP/1.0 302 Temporary moved Set-Cookie: tg=0Anyconnect-CAC; path=/; secure Content-Length: 0 Cache-Control: no-cache Pragma: no-cache Connection: Close Date: Fri, 02 Nov 2018 16:14:24 GMT X-Frame-Options: SAMEORIGIN Location: /+webvpn+/index.html HTTP body length: (0) GET https://cpvpn.ncep.noaa.gov/+webvpn+/index.html SSL negotiation with cpvpn.ncep.noaa.gov Connected to HTTPS on cpvpn.ncep.noaa.gov Got HTTP response: HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: text/xml Cache-Control: max-age=0 Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure Set-Cookie: webvpnlogin=1; secure X-Frame-Options: SAMEORIGIN X-Transcend-Version: 1 HTTP body chunked (-2) Please enter your username and password. Certificate Validation Failure Failed to obtain WebVPN cookie First comment: there seems to be a few HTTP 302 redirects, which I've read can cause some issues, but I have not found a workaround, and I haven't seen this issue addressed for this version of openconnect. I tried passing the --no-http-keepalive option, but it did not help. Second comment: I saw the message "Got no issuer from PKCS#11" and I have no idea if this is a problem or not. I have, however, successfully connected to the VPN with my CAC on a Windows test machine in the office using the Windows Cisco AnyConnect client, so I do not believe the problem is with the certs themselves. Third comment: There are multiple certs on my CAC (the PKCS#11 URLS seem very similar, just with IDs of 01, 02, or 03), and colleagues using Macbooks told me that they sometimes have to try different certs to find the one that works. I have tried them all, with this same result. Any insight to what may be going on would be extremely helpful! Thanks so much for providing this software free of charge.
