Skip to content

Instantly share code, notes, and snippets.

@p120ph37

p120ph37/dualfactor_anyconnect.md

Last active September 29, 2022 03:39
Show Gist options
  • Save p120ph37/10999344 to your computer and use it in GitHub Desktop.
Save p120ph37/10999344 to your computer and use it in GitHub Desktop.
Download ZIP
How to connect to a Cisco AnyConnect VPN server from the OSX (or Linux) command-line without using the AnyConnect client. Specifically, one which uses VeriSign/Symantec VIP Access dual-factor tokens.
Raw
dualfactor_anyconnect.md

(For Linux users, make sure you have oathtool and openconnect, then start from Step 6. If you don't have a token secret key, have a friend generate one for you on OSX via steps 3-5)

Step 1

Get homebrew and install oath-toolkit, openconnect, and tuntap.
And follow the additional tuntap installation instructions!

Step 2

After the tuntap module is installed, reboot or use kextload to activate it.

Step 3

Use the VIP Access application to provision a token.
(This happens the first time you run it. The token is saved into the keyring at /Users/$USER/Library/Keychains/VIPAccess.keychain, and is obfuscated.)

Step 4

Extract the token's secret key.
(Be sure to use the "v" argument so it prints the key, not just the OTP)

Step 5 (optional)

Get rid of the VIP Access app and its keychain.
(Deleting the VIP Access keychain is also useful if you need to provision a new token - for example on behalf of a friend who wants to use oathtool & openconnect from Linux.)

Step 6

Grab the vpnc-script file.

Step 7 (optional)

Patch vpnc-script to enable manual split-horizon DNS.

Step 8

Grab a CA bundle.

Step 9

Try it out!
Run oathtool --totp YOUR_SECRET_KEY_HERE (or the above script that reads the VIP Access keychain) to get your second-factor code.
Then quickly run sudo openconnect --script ./vpnc-script https://YOUR_SERVER_HERE --cafile=cacert.pem and follow the login prompts.
(sudo is needed else the tun/tap interface stuff wonn't work for permission reasons)

Step 10 (optional)

Script your login using Expect or your favorite automation tool so you don't have to enter all that stuff by hand.
(extra credit: store your secret key and passwords in the OSX system keychain rather than hard-coded into your automation script...)

@p120ph37
Copy link
Author

Alternative to steps 3-5: https://github.com/cyrozap/python-vipaccess

@canerdianeh
Copy link

In Catalina, it asks for a keychain password - and the CLI script times out very quickly (if you don't enter the password almost immediately, it will fail)..

Secondly, where does one obtain this password? It's not the standard system keychain password.

@p120ph37
Copy link
Author

@nerdherdinc, I assume you are referring to the issue discussed here? https://gist.github.com/p120ph37/8213727#gistcomment-3665925
If so, the password you need is the one for the VIPAccess keychain, which is ${serial}SymantecVIPAccess${USER} where ${serial} is the serial number of your machine as shown in the log output from the VIPAccess.exp script, and ${USER} is your user-name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment