Multi step Cisco Anyconnect auth in a single command

Daniel Lenski dlenski at gmail.com
Mon Nov 7 11:01:54 PST 2022 

On Fri, Nov 4, 2022 at 3:14 PM Ahmet Karalar <akaralar at gmail.com> wrote:
>
> Hello,
>
> I can connect to my company VPN (Cisco Anyconnect) using openconnect,
> entering credentials as the CLI asks me, however I'd like to reduce
> that to 1 step if possible. When authenticating, openconnect asks me:
> - username
> - password
> - group
> - second authentication method
> - second authentication password (a TOTP)
>
> I know that I can pass the first 3 using CLI flags or a config file,
> however I couldn't figure out how to select the second auth method and
> then pass the second auth pass to the CLI. The second authentication
> method form is a form with 4 values, of which I'd like to select
> option 4 (TOTP auth), and then I'll enter the TOTP. I'm using a
> password manager and I'll get the TOTP from there. Is there a way to
> pass option 4 for the second auth method and then the second auth
> password to openconnect, so that I can connect to the VPN using only a
> single command?

Likely yes. So, you've already got the following, right?

    echo "$PASSWORD" | openconnect -u "$USERNAME" --passwd-on-stdin
--authgroup "$GROUP"

Now, you'll need to use the `--form-entry` option to specify the
second auth method (see
https://www.infradead.org/openconnect/manual.html#opt-form-entry).
First, start out by using `--dump` to extract the details of the
second form, including the name of the form and the fields+values
therein. That'll get you something like:

    echo "$PASSWORD" | openconnect -u "$USERNAME" --passwd-on-stdin
--authgroup "$GROUP" --form-entry
"${2FA_FORM_NAME}:${2FA_METHOD_FIELD_NAME}=${2FA_METHOD_FIELD_VALUE}"

And then you'll need to specify `--token-mode=totp` and
`--token-secret`
(https://www.infradead.org/openconnect/manual.html#opt-token-mode) to
tell OpenConnect how to fill in the TOTP field using your token.

OpenConnect should in most cases automatically detect the field that
is supposed to be filled with the token field value. If that *doesn't*
work, then send us the complete output of `openconnect --dump` for
that second form, and we'll figure out how it differs from the current
expectations for a token field… or better yet submit a merge request
to improve https://gitlab.com/openconnect/openconnect/blob/master/auth.c#L1004-1026).

Daniel

More information about the openconnect-devel mailing list