OpenConnect is the Open Source alternative for the proprietary Cisco AnyConnect client. Our company is using the Cisco AnyConnect client along with PIN protected RSA Software Tokens for the authentication.
Looks like a complicated solution if you don’t have your corporate Windows client around; there’s no Cisco AnyConnect client for Linux with RSA Software Token support and the RSA application itself it’s only for Windows.
Guess what? It is not complicated at all and does not require WINE or any other tool to run the Windows app. It does not require the broken Cisco AnyConnect client either.
Update 10th June 2014: New instructions for new RSA Token Converter 3.0.
Update 10th October 2014: RSA Token Converter no longer needed.
Install the required software to import the token and the OpenConnect client itself:
# yum -y install NetworkManager-openconnect stoken-cli stoken-gui
If you’re using RHEL or CentOS up to 6.3 please reboot your system as the bundled NetworkManager is not able to reload plugins through dbus; otherwise if you’re running Fedora or RHEL/CentOS 6.4 or later you can directly proceed.
Use stoken to import your token, choosing between the various options:
$ stoken import --token 2000123456... $ stoken import --token com.rsa.securid.iphone://ctf?ctfData=2000123456... $ stoken import --file mytoken.sdtid
Leave blank for the password request if you don’t want to password protect your token. Launch the command line program or the graphical program to get the passcode. The pin must be identical to the one you’ve set when first connecting to the VPN; otherwise the generated passcode will not match with the one generated on the VPN server:
$ stoken Enter PIN: 1234 32031342
Alternatively you can use the GTK based
Remove token PIN
To further speed up things; you can issue the following command to remove the pin request when opening the token (both command line and graphical):
$ stoken setpin Enter new PIN: 1234 Confirm new PIN: 1234 $ stoken 32031342
Create a new OpenConnect VPN through the VPN wizard of NetworkManager; the only required parameter is the server name.
If you have at least Fedora 20 or (probably) RHEL 7 with NetworkManager-openconnect 0.9.8 you can also paste the RSA Soft Token in the text box or use the Stoken file for passcode generation.
Upon connection, you will be asked your username and RSA passcode. If you have enabled Soft Token integration with the PIN saved in
~/.stokenrc you will be asked only the username.
Initiating the connection from the command line can be used as well. This method also enables you to avoid entering the PIN; offering the same functionality as NetworkManager-openconnect 9.8.0 on all Fedora releases and CentOS/RHEL 6:
sudo cp ~/.stokenrc /root sudo openconnect --token-mode=rsa vpn.example.com
Pretty easy, huh?