unable to use RSA SecureID on Unbuntu 14.04 LTS 64 bit

Thu Jul 17 16:26:02 PDT 2014

I am trying to connect to a VPN that uses a two-part authentication, 
with username and two passwords. I am able to authenticate using Cisco 
AnyConnect VPN client on Windows 7.

I have been using OpenConnect v5.02-1 package with Network Manager 
OpenConnect 0.9.8.0 package under Ubuntu 14.04 64-bit to connect to a 
different VPN that needs only username/password. However, the Ubuntu 
package does not have libstoken support. Then I built OpenConnect 6.00 
and NetworkManager-OpenConnect 0.9.10 from source, removed the packages, 
and ran "sudo make install" for both of these. I gave up on 
NetworkManager-OpenConnect 0.9.10 because the GUI under Network 
Connections -> VPN was unavailable. So I went back to 0.9.8 package 
which restored the GUI, and mainly tried to use openconnect from the 
command line instead for testing.

With either version of OpenConnect or Network Manager, the GUI under 
Network Connections -> VPN does not show any option for RSA SecureID or 
tokens.

I am not terribly familiar with how the two-part authentication works or 
how this is implemented in OpenConnect. So I may simply be unclear on 
the concept, and not using the appropriate command line options and values.

The way the authentication works in AnyConnect is that I am prompted for 
a username and two passwords. The first password consists of a PIN 
(let's say 9999) plus a 6-digit token generated by stoken or RSA 
SecureID software on Windows. Let's say 123456. So the first password is 
like 9999123456. The 2nd password I think is just the Active Directory / 
LDAP password for the username. I used the token generated from stoken 
to connect successfully using AnyConnect in Windows. But I am not sure 
how to use these two passwords in OpenConnect, or whether this scenario 
is supported.

If I try to use --token-mode=totp or --token-mode=hotp, login fails 
whether I enter the AD/LDAP password or the PIN + stoken output. I am 
never prompted to enter a 2nd password. These modes don't seem to apply 
to my situation.

Using --token-mode=rsa, example below (output sanitized). For testing, I 
had the PIN stored in .stokenrc and removed it again. No real 
difference. Using --no-xmlpost or not doesn't make a difference either. 
If I try to enter the username/password as in the example below, it 
fails again with "Server is rejecting the soft token; switching to 
manual entry".

I should emphasize again that the first password needs to consist of the 
PIN + generated token. The PIN is not the same as the password that 
unlocks the software token. I am never prompted for the PIN by 
openconnect, and I do not see a way to pass it. It doesn't seem to make 
a difference whether I use "stoken" or "stoken --pin=9999". I am not 
sure whether the only password that openconnect prompts for is supposed 
to be the PIN+token or the AD/LDAP password. Neither one results in a 
prompt for a 2nd password.

Here is an example of what happens. Let me know if you require any more 
details.

$ openconnect --no-cert-check --authenticate --token-mode=rsa 
--no-xmlpost --user=username https://vpn.company.com/

Enter credentials to unlock software token.
Password:
GET https://vpn.company.com/
Attempting to connect to server 99.99.99.9:443
SSL negotiation with vpn.company.com
Connected to HTTPS on vpn.company.com
Got HTTP response: HTTP/1.0 302 Temporary moved
GET https://vpn1-1.company.com/
Attempting to connect to server 99.99.99.7:443
SSL negotiation with vpn1-1.company.com
Connected to HTTPS on vpn1-1.company.com
Got HTTP response: HTTP/1.0 302 Object Moved
GET https://vpn1-1.company.com/+webvpn+/index.html
SSL negotiation with vpn1-1.company.com
Connected to HTTPS on vpn1-1.company.com
Please enter your username and password.
Generating RSA token code
POST https://vpn1-1.company.com/+webvpn+/index.html
Server is rejecting the soft token; switching to manual entry
Login failed.
Please enter your username and password.
Username:

--Mark Kolmar