OpenConnect with second factor auth is not possible (SFOS 3.2.1)
asked 2019-12-11 18:44:21 +0200
Good progress with the VPN in 3.2.1. But it is still not usable with VPN server in my work office. We are using Cisco AnyConnect with second factor authentication. Moreover we have multiple authentication groups, it have to be specified also during authentication...
When I configure VPN profile and try to activate from UI, it starts openconnect process:
/usr/sbin/openconnect \
--user myName \
--passwd-on-stdin \
--cafile someCert.pem \
--protocol anyconnect \
--syslog \
--non-inter \
--script /usr/lib/connman/scripts/vpn-script \
--interface vpn0 \
company.com
but it stucks waiting for group name and second password. Meanwhile UI signalise that it is still connecting... This state doesn't have timeout probably!
When I add --authgroup=required-group and remove --script (for some reason, vpn-script ends with error code, in my experiment but I don't dig into this issue deeper), execute openconnect as a root and insert my two passwords, vpn is established properly...
I made PoC implementation in connman/openconnect plugin: https://github.com/Karry/mer-core-connman/commit/dee75e9c810a338499423c4a46ea0a52fe0f3c15
I just had to manually update connection properties in
Karry ( 2019-12-12 01:22:55 +0200 )edit/home/.system/var/lib/connman-vpn/provider_vpn_XXX/settingsand now I am able to connect with top-menu switch orconnmanctl...I've tested the same on our VPN where an authgroup needs to be specified: openconnect works from the command line, the GUI vpn start gets stuck (I assume with openconnect waiting at the authgroup prompt, as explained above). How would Karry's mer-core-connman patch get included into the normal distribution?
ExTechOp ( 2020-04-30 09:21:21 +0200 )edit