Update: I've created scripts to automate much of this process. You can find them on GitHub.
On Windows, this is often accomplished using Cisco's AnyConnect VPN client software. On Linux however, that option would never work for me. I tried to download it from the VPN https site, but it wouldn't load.
On Linux, we have an open-source alternative, called
The difficult part is getting it to use our smart card, and present the correct
certificate to the VPN.
Several packages needed to be installed on my Fedora machine to get started. Unfortunately, I don't remember all of them, but you should probably start with this:
# yum install coolkey # service pcscd start
p11-kit to interact with PKCS #11 modules.
(PKCS #11 is the standard for interfacing with cryptographic tokens,
like smart cards.) The first thing we need to do is tell
p11-kit to use the
libcoolkey pkcs11 module. Do this by creating a new file named
/etc/pkcs11/modules/libcoolkey.module, and adding the following line to it:
Identify token and cert
Next, we'll use
p11tool --list-tokens to list all of the tokens on our
system. You should see your smart card in this list. Mine showed up like this
(along with others):
$ p11tool --list-tokens ... Token 6: URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxxxx Label: REINHART.JONATHON.RICHARD.xxxxxxxx Manufacturer: Model: Serial:
Now, we want to look at all of the certificates available on our smart card.
p11tool --list-all-certs <url>, where
<url> is the URL of our
smart card token from the previous step:
$ p11tool --list-all-certs pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxx Object 0: URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%01;object=CAC%20ID%20Certificate;object-type=cert Type: X.509 Certificate Label: CAC ID Certificate ID: 00:01 Object 1: URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert Type: X.509 Certificate Label: CAC Email Signature Certificate ID: 00:02 Object 2: URL: pkcs11:model=;manufacturer=;serial=;token=REINHART.JONATHON.RICHARD.xxxxxx;id=%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert Type: X.509 Certificate Label: CAC Email Encryption Certificate ID: 00:03
So we can see the three certificates available on our smart card.
Connect with certificate
The Windows AnyConnect software will pop-up a dialog asking you to select the
certificate for authentication when the server asks for a client certificate.
openconnect currently has no such functionality, so we need to explicitly
tell it which certificate to use. In my case, I already knew it was the
ID: 00:02, the "CAC Email Signature Certificate". So I pass
-c option, with the minimal URL to unambiguously refer to that
$ sudo openconnect -c 'pkcs11:token=REINHART.JONATHON.RICHARD.xxxxxx;id=%02' vpn.example.com
Note that I had to use sudo because openconnect will invoke some scripts to set
tun device and routing.
At this point,
openconnect should ask for your PIN, and then successfully
connect to the VPN! If not, you may need to try the other certificates, by
id= part of the certificate URL.
There are still a few outstanding warnings that occur during this process:
Certificate from VPN server "vpn.example.com" failed verification. Reason: signer not found- I need to determine which certificate this is exactly, and how to add it to my trusted certificate store.
Note: I've had to install various packages and make various changes in playing with my smart card, so if something isn't working for you, or I've skipped a step, please leave a comment so I can make this post more accurate. Thanks!
Update: Additional steps - I'll work these in above at some point:
- Howto: Connect to Cisco AnyConnect VPN using OpenConnect and PKI Token
- CAC modules -