[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] openconnect with safenet token

From: DeadManMoving
Subject: Re: [OATH-Toolkit-help] openconnect with safenet token
Date: Wed, 09 Jul 2014 14:24:56 -0400

Hi David,

Thank you so much for your reply, greatly appreciated.

I am not using some sort of usb device as a token, i am using a software base token (http://www2.safenet-inc.com/sas/software-tokens.html).

Under windows, when using cisco anyconnect and the above software from safenet, when i connect to the VPN, anyconnect is prompting me for my username and the passcode (PIN+token) so, i generate a token with the safenet software then i enter my PIN+token given to me by the software.

Is it something possible with openconnect?

Thanks again,


On Wed, 2014-07-09 at 17:46 +0100, David Woodhouse wrote:
On Wed, 2014-07-09 at 11:22 -0400, DeadManMoving wrote:
> Hi list,
> Is it possible to use openconnect to connect to a cisco VPN which use
> safenet token for authentication?
> I am trying openconnect version v5.99-175-g7a2b2e8 (with oath version
> 2.4.1) with --token-mode=hotp option but, does'nt look like i have much
> success.
> I can successfuly connect to the VPN using cisco anyconnect client on
> windows, using the safenet token.
> I was unable to find some example over the internet on how to use
> openconnect with software token, beside RSA software token with stoken.

Let's start with TOTP, as it's easier.

We don't yet support file storage for [HT]OTP tokens — you have to
provide the required information on the OpenConnect command line.

If your token is stored in a standard PKSC file (as defined by RFC6030)
then it's fairly simple to find the information you need; just use
pkcstool. For the SafeNet token, you have to interpret their
non-standard file format but at least LinOTP is capable of that so it
shouldn't be impossible to work it out.

For testing it's best to start by generating the PINs manually with
oathtool, and entering them manually until you're sure you have the OTP
part working.

 oathtool --totp 5a5a5a5a5a5a5a5a5a5a5a5a

However, HOTP is more interesting because you have a *counter* rather
than just a timestamp. And that counter needs to be updated in the file.

So you can make openconnect work by passing 
 --token-mode HOTP --token-secret $SECRET,$COUNTER

But the question of how you remember that the counter should be
increased is not yet solved.

We really *do* want to have file storage support, but oath-toolkit
doesn't give us anything we can sanely use. We'd need to define locking
semantics for it too, and I *really* didn't want to do that in isolation
just for OpenConnect.

> Also, passing --token-mode option, without passing the --token-secret
> option makes openconnect segfault, which seem odd.

Oops. I've just fixed that in the git tree; thanks for pointing it out.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]