Getting connection settings and resources from AnyConnect
Colin Williams
colin.williams.seattle at gmail.com
Wed Mar 28 15:20:42 PDT 2018
Hi Daniel,
That makes sense. From what I recall looking at the profile .xml I
believe it's using a usergroup or groupname. Also there's some
certificate match pattern that it's using. Then I will have to export
the certificates and try giving it another shot. I've been so busy
haven't had a chance yet. However I will bump up this message thread
when I do regarding success or failure.
Thanks for your help.
On Mon, Mar 26, 2018 at 9:16 PM, Daniel Lenski <dlenski at gmail.com> wrote:
> On Mon, Mar 26, 2018 at 8:38 PM, Colin Williams
> <colin.williams.seattle at gmail.com> wrote:
>>
>> Hi,
>>
>> I have a mac provided with AnyConnect configured to a vpn, but wish to
>> try to connect using OpenConnect. Can anyone describe or point to a
>> document which might allow me to infer the connection settings and
>> resources such as keys so I can provide them for OpenConnect based on
>> the working AnyConnect settings? I looked around at some xml files but
>> couldn't figure out the connection settings and resources on my own.
>
> In my experience (5 or 10 different Cisco AnyConnect VPNs), the
> following should cover all of the required connection information:
>
> VPN server (there may be more than one possibility in your "AnyConnect
> Profile", but you only need one to get connected)
> Username
> Password and/or 2FA token source
> Client certificate (not used with all VPNs)
>
> These should all be straightforward and obvious, with the exception of
> the client certificate. In some cases, the client cert may be
> accessible to you since you obtained it simply as a an ordinary file
> which you can copy to a system running openconnect.
>
> But in other cases, the client certificate will be stored in:
>
> (a) An operating system facility that restricts your ability to export
> the certificate. Under Windows, the mimikatz tool
> (https://github.com/gentilkiwi/mimikatz) can be used to export
> certificates which were marked "unexportable" when imported.
> (b) Vendor-specific software that stores the certificate, such as Symantec PKI.
> (b) A hardware credential storage container like a TPM
> (https://en.wikipedia.org/wiki/Trusted_Platform_Module).
>
> Does that clarify things?
>
> Dan
More information about the openconnect-devel
mailing list