Cisco AnyConnect connections issues

kbonham · October 31, 2023, 7:03pm

I am struggling to connect to the vpn for the college I work for since they switched to requiring DUO SSO for authentication. Previously, I was using openconnect just fine, but that no longer works (see here for details). So now I’m trying to get the proprietary Cisco AnyConnect app to work.

The problem is in the 2 factor authentication - it seems to launch some process that will ping my phone to accept the login attempt, but I can’t get it to pop up.

The first thing I did was to download and run an installer script provided when I log into the vpn via webbrowser, and then

$ sudo bash Downloads/anyconnect-linux64-4.10.06090-core-vpn-webdeploy-k9.sh

(I can provide the contents of this script if helpful). Note: on Rocky linux, this succeeds, and I’m able to connect to the vpn using this app.

At this stage, when I tried to open the app, it crashed without showing a window. I found the binary at /opt/cisco/anyconnect/bin/vpn and ran it, which gave an error message " The VPN service is not available. Exiting." I found /opt/cisco/anyconnect/bin/vpnagentd, and after running this, the window opened correctly. Problem 1 down!

Now, when I try to connect to the vpn (vpn.wellesley.edu), I’m getting the error

You are missing the required libraries for the authentication method you requested

I found this post, which has some instructions for dealing with this on redhat by downloading a .pem certificate and installing it, which I was able to do (I think) with a few modifications, in particular, copying the file to /usr/share/pki/trust/anchors instead of /usr/share/pki/ca-trust-source/anchors/, and running update-ca-certificatesinstead of update-ca-trust.

That post also mentions installing webkit2gtk, and indeed in the terminal when I try to connect, I see

❯ /opt/cisco/anyconnect/bin/vpnui
/opt/cisco/anyconnect/bin/acwebhelper: error while loading shared libraries: libwebkit2gtk-4.0.so.37: cannot open shared object file: No such file or directory

So I installed libwebkit2gtk4_0 via yast. And now connecting brings up a username / password dialogue - problem 2 solved!.

But when I enter a password, it pauses for a moment, and then prompts for a password again. Which, incidentally is the same thing that happens with openconnect when it can’t open the 2FA window. But there’s no error reported in the console, and I can’t determine how to get any additional info.

Other things I’ve tried

adding ,push or ,sms to my password as suggested by a few websites. No dice
using NetworkManager, with or without including the CA certificate that I downloaded earlier. Fail.
Running Rocky linux (as I mentioned above, this is the only thing so far that works)

I would very much like the stick with opensuse, but I need to be able to connect to my work VPN. Any ideas for where to go next would be appreciated.

Svyatko · November 2, 2023, 3:07pm

gist.github.com

https://gist.github.com/zer4tul/6477470

gistfile1.txt

#!/bin/sh
# Cisco Anyconnect CSD wrapper for OpenConnect

CSTUB="$HOME/.cisco/hostscan/bin/cstub"


$ARCH=$(uname -m)

if [[ "$ARCH" == "x86_64" ]]
then

This file has been truncated. show original

kbonham · November 2, 2023, 8:43pm

Can you say more?

kbonham · November 3, 2023, 1:42pm

Without more explanation, I can’t get this to work. For one, there’s no ~/.cisco directory (I looked in /opt/cisco/anyconnect/bin for cstub, but it’s not there, and there’s also not /opt/cisco/hostscan), and for another, no environmental variable $CSD_HOSTNAME.

hcvv · November 3, 2023, 1:48pm

I do not have the knowledge to say anything about the problem here. But when you want to prove such a thing, you should not talk, but show:

la -l ~/.cisco

When you copy/paste that (including the full line with the command and the new prompt line) in your post everybody can see what you did and got.

E.g. on my user (but I do not use the software):

henk@boven:~> ls -l ~/.cisco
ls: cannot access '/home/henk/.cisco': No such file or directory
henk@boven:~>

kbonham · November 3, 2023, 3:01pm

Sure

> ls -l ~/.cisco
ls: cannot access '/home/kevin/.cisco': No such file or directory

Proof

> ls -l /opt/cisco/anyconnect/bin/
.rwxr-xr-x 1.7M root  3 Nov 09:36 acextwebhelper
.rwxr-xr-x  26k root  3 Nov 09:36 acinstallhelper
.rwxr-xr-x 985k root  3 Nov 09:36 acwebhelper
.rwxr-xr-x 1.2k root  3 Nov 09:36 anyconnect_uninstall.sh
.rwxr-xr-x  315 root  3 Nov 09:36 load_tun.sh
lrwxrwxrwx    - root  3 Nov 09:36 manifesttool -> /opt/cisco/anyconnect/bin/manifesttool_vpn
.rwxr-xr-x 242k root  3 Nov 09:36 manifesttool_vpn
drwxr-xr-x    - root  3 Nov 09:36 plugins
.rwxr-xr-x 174k root  3 Nov 09:36 vpn
.rwxr-xr-x 9.1k root  3 Nov 09:36 vpn_uninstall.sh
.rwxr-xr-x 1.1M root  3 Nov 09:36 vpnagentd
.rwxr-xr-x 674k root  3 Nov 09:36 vpndownloader
.rwxr-xr-x 637k root  3 Nov 09:36 vpndownloader-cli
.rwxr-xr-x 475k root  3 Nov 09:36 vpnui

Proof

> eza -l /opt/cisco/
drwxr-xr-x - root  3 Nov 09:36 anyconnect

Proof

> echo $CSD_HOSTNAME

>

I understand this impulse, but I hope you’ll believe me when I say I’m a somewhat sophisticated user. I can understand all the parts of @Svyatko 's script, at least enough to know it’s not gonna run based on the points listed.