This is an update of my post at the end of a 'Solved' thread viewtopic.php?p=778125&hilit=cisco+anyconnect#p778125, with permission of the moderator.
With Debian 11, I used the Cisco AnyConnect VPN with MFA available from my university without issues. This became impossible after the upgrade to Debian 12 (bookworm). When I type the command /opt/cisco/anyconnect/bin/vpnui, I get a dialogue box in which I enter the address of the VPN. I click on Connect, which starts the university's MFA. After I've entered my login credentials and the Duo Mobile code from my phone, I get a Cisco AnyConnect banner asking me to Accept. Clicking on that results in the messages: AnyConnect was not able to establish a connection to the specified secure gateway ... The certificate on the secure gateway is invalid. A VPN connection will not be established.
Another user had a similar problem with VPN under bookworm, and found that the problem is that, under bookworm, clients do not identify themselves to the Cisco VPN servers with a useragent starting with AnyConnect. He circumvented the problem by using the openconnect command with the option --useragent 'AnyConnect'. His solution hasn't worked in my MFA environment; I get to an infinite loop of requests for my username and password. This user https://forums.freebsd.org/threads/open ... 2fa.87788/ found a way to run Cisco AnyConnect VPN with MFA on FreeBSD using openconnect-sso, but I haven't been able to adapt his approach to supply the changed useragent identification necesitated by Debian 12.
I should add that the university's service desk has been of no help, which is what usually happens when they hear the L word!
I'm guessing this is a problem without a solution, but maybe someone will surprise me!
With Debian 11, I used the Cisco AnyConnect VPN with MFA available from my university without issues. This became impossible after the upgrade to Debian 12 (bookworm). When I type the command /opt/cisco/anyconnect/bin/vpnui, I get a dialogue box in which I enter the address of the VPN. I click on Connect, which starts the university's MFA. After I've entered my login credentials and the Duo Mobile code from my phone, I get a Cisco AnyConnect banner asking me to Accept. Clicking on that results in the messages: AnyConnect was not able to establish a connection to the specified secure gateway ... The certificate on the secure gateway is invalid. A VPN connection will not be established.
Another user had a similar problem with VPN under bookworm, and found that the problem is that, under bookworm, clients do not identify themselves to the Cisco VPN servers with a useragent starting with AnyConnect. He circumvented the problem by using the openconnect command with the option --useragent 'AnyConnect'. His solution hasn't worked in my MFA environment; I get to an infinite loop of requests for my username and password. This user https://forums.freebsd.org/threads/open ... 2fa.87788/ found a way to run Cisco AnyConnect VPN with MFA on FreeBSD using openconnect-sso, but I haven't been able to adapt his approach to supply the changed useragent identification necesitated by Debian 12.
I should add that the university's service desk has been of no help, which is what usually happens when they hear the L word!
I'm guessing this is a problem without a solution, but maybe someone will surprise me!
Statistics: Posted by drkayak99 — 2023-12-16 19:44 — Replies 1 — Views 97