Skip to main content

Connect to Cisco ASA VPN with Linux OpenConnect and SAML Authentication using Linux Mint

·609 words·3 mins
Feature image: Big Data Cloud Computing Network

How to use OpenConnect instead of Cisco Anyconnect for VPN access with SAML-based authentication #

Instead of using the closed-sourced Cisco Secure Client (AnyConnect) it’s possible to use the cross-platform multi-protocol VPN client OpenConnect instead. OpenConnect is well integrated in most Linux distributions and compatible with the protocol used by Cisco, among others.

Most linux desktop environments provide a graphical interface to manage VPN connections through NetworkManager, making it easy to use VPN. Here’s a step-by-step guide.

Step 0: Setup Prerequisites #

The following prerequisites apply to the setup described here:

  • VPN-Server
    • Cisco Adaptive Security Virtual Appliance (ASAv) or Firepower Hardware
  • Linux Client
    • Ubuntu LTS 24.04/Linux Mint 22 or older Linux with Backports
    • NetworkManager-Openconnect Version 1.2.10 or later (MUST!)
  • Authentication
    • Entra ID with SAML
    • MFA with Cisco DUO or Okta (optional)
I assume you already have working setup using the Cisco Secure Client.

Step 1: Install Necessary Packages #

Ensure that OpenConnect and the NetworkManager plugin for OpenConnect are installed. For SAML authentication it’s absolutely necessary to install NetworkManager OpenConnect version 1.2.10 or later.

For Linux Mint 22/Ubuntu 24.04:

$ sudo apt update
$ sudo apt install openconnect \
network-manager-openconnect network-manager-openconnect-gnome

Openconnect Packages on Ubuntu
Openconnect Packages on Ubuntu

If your Linux distribution (like Linux Mint 21.3 or Ubuntu 22.04) does not offer a recent NetworkManager OpenConnect version, try to install packages from the openSUSE Build Service: openconnect from home:bluca:openconnect:release project.

For Linux Mint 21.3/Ubuntu 22.04: To install the third-party packages run:

$ echo 'deb http://download.opensuse.org/repositories/home:/bluca:/openconnect:/release/Ubuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/home:bluca:openconnect:release.list
$ curl -fsSL https://download.opensuse.org/repositories/home:bluca:openconnect:release/Ubuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_bluca_openconnect_release.gpg > /dev/null
$ sudo apt update
$ sudo apt install openconnect

Step 2: Connection Setup #

  1. Click on the network symbol in the status bar at the bottom right.

  2. Select “Network Connections”.

    Network Connections
    Network Connections

  3. Click on the plus symbol “+” bottom left to create a new VPN connection profile.

    Network Connections View
    Network Connections View

  4. Choose a Connection Type: Cisco AnyConnect or OpenConnect (OpenConnect) and hit “Create…” button.

    Network Add VPN
    Network ADD VPN

  5. Editing VPN connection: Set name, protocol and user agent. Finally click on “Save”.

ParameterValueComment
VPN ProtocolCisco AnyConnect or OpenConnectMUST
GatewayCisco ASA endpoint, e.g. https://vpn-test.bitingbytes.de/intMUST
User-AgentAnyConnectMUST!
Machine-CertificateYour Certificateoptional
Machine-Private KeyYour Keyoptional

Openconnect Configuration
Openconnect VPN Configuration

Step 3: Connect and login #

To connect go to the status bar at the bottom right, click on the network symbol and then click on the connection name (in this example: “Bitingbytes VPN Connection ASA”). Finally start the login process with a click on “Login”. The authentication is done in an embedded browser within a separate window.

Openconnect Login
Openconnect Login

Step 4: Entra ID Login #

  • Entra ID Sign In: Enter your UPN. Click Next.

Openconnect Entra ID: Sign-In
Openconnect Entra ID: Sign-In

  • Enter your password. Click on Sign In.
  • Optional: Check for Duo Push (or another MFA)
  • Eventually: Trust the account and click Continue.

Openconnect Entra ID: Enter Password
Openconnect Entra ID: Enter Password

Once connected, the VPN status will show as Connected under the VPN section in the Network settings. Verify the connection by accessing internal resources or running a connectivity test (e.g., ping or traceroute to an internal server).

Error and Known Issues #

Error: 404 Not Found #

Without a matching User-Agent (=“AnyConnect”), the server returns a 404 Not Found, which is misleading.

Missing “User-Agent” field #

If the NetworkManager OpenConnect is too old, the user agent cannot be entered via the GUI. The only thing that helps here is to install a current version (>1.2.10) as described above.