Yubikey OTP for Anyconnect VPN with Duo 2FA

Thu, 01 Aug 2019 10:09:48 -0700 

Hi,

My institution uses Anyconnect VPN with Duo 2FA. I'm able use
openconnect with NM Gnome plugin just fine when I put "push" as the
second password to initiate a push request to my phone. Recently, I've
registered my Yubikey with Duo so I'm able to tap and generate an OTP
for the secondary password field. The issue is, I either need to
delete the previously saved OTP from the second password field
everytime (when save passwords is checked) or I have to type in my
password in addition to the OTP (when save passwords is unchecked). Is
it possible to configure the network manager to only save the primary
password but not the secondary? I've seen the  "yubioath" support in
the command line but it seems the "Yubikey OTP" utilizes an encrypted
AES based token different than the oath mode.

For reference, I'm on Ubuntu 16.04 with openconnect 8.03,
network-manager-openconnect and network-manager-openconnect-gnome
1.2.0 installed. I'm also including the form output below.

Thank you very much,

<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
    <opaque is-for="sg">
        <tunnel-group>DefaultConnection</tunnel-group>
        <group-alias>01 Default</group-alias>
        <config-hash>XXXXXXXXXXX</config-hash>
    </opaque>
    <auth id="main">
        <title>Login</title>
        <message>XXXXXXX</message>
        <banner>For &#x22;Second Password:&#x22; enter a Duo passcode
or Type:&#x0A;push - receive push notification&#x0A;sms - receive
passcode via text message&#x0A;phone - receive phone call to mobile or
landline</banner>
        <form>
            <input type="text" name="username" label="Username:"></input>
            <input type="password" name="password" label="Password:"></input>
            <input type="password" name="secondary_password"
label="Password:"></input>
            <select name="group_list" label="GROUP:">
                <option selected="true">01 Default</option>
                <option>02 Restricted</option>
            </select>
        </form>
    </auth>
</config-auth>


--
Mustafa Veysi Nural, PhD

_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to