Connect to VPN network with CAC (smart card) authentication
Adam Allgood - NOAA Federal
adam.allgood at noaa.gov
Thu Nov 16 18:37:41 PST 2017
Thanks for the response! Chrome OS provides crosh, which is a very
stripped down command line utility, so I cannot run openconnect
--version, however on the about tab, it says OpenConnect for Android
Version 1.11.
Chrome OS offers two "middleware" apps designed to allow 3rd party
apps to access the CAC: CACKey and CSSI Smart Card Middleware. I would
assume it is these apps that provide the p11-kit module file for apps
needing to authenticate with the CAC. However, I do not know how to
get these Chrome OS Web Store apps to talk to the Play Store
OpenConnect, nor do I know how to diagnose the location of the p11-kit
module from these apps.
I am pursuing other leads to get answers to these questions as well,
but so far no luck. Worst case scenario I would have to install
Crouton and Linux on my Chromebook, but I would like to avoid this and
keep the OS verification security.
All the best,
Adam
On Tue, Nov 14, 2017 at 2:33 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Tue, 2017-11-14 at 14:25 -0500, Adam Allgood - NOAA Federal wrote:
>> To whom it may concern,
>>
>> My office is now requiring us to authenticate into their VPN with our
>> CAC smart cards. I currently use Cisco AnyConnect on Chrome OS to
>> access VPN with an RSA SecurID pin. AnyConnect does not support smart
>> card authentication. Is there a way to connect to a VPN network using
>> a smart card with OpenConnect? If so, are there a set of instructions
>> for how to do it on Chrome OS? I have installed OpenConnect on my
>> Chromebook (Acer 14) through the Google Play Store.
>
> Yes, OpenConnect (in general) supports PKCS#11:
> http://www.infradead.org/openconnect/pkcs11.html
>
> I don't know offhand if the build in the Google Play Store includes
> PKCS#11 support. Can you show 'openconnect --version' output?
>
> If it does, you just need to make sure that the PKCS#11 module for your
> card (probably OpenSC) is installed correctly, and has an appropriate
> p11-kit module file so that it's visible to applications. The above web
> page should be sufficient.
--
Adam Allgood - Meteorologist
Climate Prediction Center
5830 University Research Court, Rm 3148
College Park, Maryland 20740
Ph. (301) 683-3418
More information about the openconnect-devel
mailing list