Connect to Cisco ASA VPN with Linux OpenConnect and SAML Authentication using Linux Mint

Table of Contents
How to use OpenConnect instead of Cisco Anyconnect for VPN access with SAML-based authentication #
Instead of using the closed-sourced Cisco Secure Client (AnyConnect) it’s possible to use the cross-platform multi-protocol VPN client OpenConnect instead. OpenConnect is well integrated in most Linux distributions and compatible with the protocol used by Cisco, among others.
Most linux desktop environments provide a graphical interface to manage VPN connections through NetworkManager, making it easy to use VPN. Here’s a step-by-step guide.
Step 0: Setup Prerequisites #
The following prerequisites apply to the setup described here:
- VPN-Server
- Cisco Adaptive Security Virtual Appliance (ASAv) or Firepower Hardware
- Linux Client
- Ubuntu LTS 24.04/Linux Mint 22 or older Linux with Backports
- NetworkManager-Openconnect Version 1.2.10 or later (MUST!)
- Authentication
- Entra ID with SAML
- MFA with Cisco DUO or Okta (optional)
Step 1: Install Necessary Packages #
Ensure that OpenConnect and the NetworkManager plugin for OpenConnect are installed. For SAML authentication it’s absolutely necessary to install NetworkManager OpenConnect version 1.2.10 or later.
For Linux Mint 22/Ubuntu 24.04:
$ sudo apt update
$ sudo apt install openconnect \
network-manager-openconnect network-manager-openconnect-gnome
For Linux Mint 21.3/Ubuntu 22.04: To install the third-party packages run:
$ echo 'deb http://download.opensuse.org/repositories/home:/bluca:/openconnect:/release/Ubuntu_22.04/ /' | sudo tee /etc/apt/sources.list.d/home:bluca:openconnect:release.list
$ curl -fsSL https://download.opensuse.org/repositories/home:bluca:openconnect:release/Ubuntu_22.04/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/home_bluca_openconnect_release.gpg > /dev/null
$ sudo apt update
$ sudo apt install openconnect
Step 2: Connection Setup #
Click on the network symbol in the status bar at the bottom right.
Select “Network Connections”.
Network Connections Click on the plus symbol “+” bottom left to create a new VPN connection profile.
Network Connections View Choose a Connection Type: Cisco AnyConnect or OpenConnect (OpenConnect) and hit “Create…” button.
Network ADD VPN Editing VPN connection: Set name, protocol and user agent. Finally click on “Save”.
Parameter | Value | Comment |
---|---|---|
VPN Protocol | Cisco AnyConnect or OpenConnect | MUST |
Gateway | Cisco ASA endpoint, e.g. https://vpn-test.bitingbytes.de/int | MUST |
User-Agent | AnyConnect | MUST! |
Machine-Certificate | Your Certificate | optional |
Machine-Private Key | Your Key | optional |
Step 3: Connect and login #
To connect go to the status bar at the bottom right, click on the network symbol and then click on the connection name (in this example: “Bitingbytes VPN Connection ASA”). Finally start the login process with a click on “Login”. The authentication is done in an embedded browser within a separate window.
Step 4: Entra ID Login #
- Entra ID Sign In: Enter your UPN. Click Next.
- Enter your password. Click on Sign In.
- Optional: Check for Duo Push (or another MFA)
- Eventually: Trust the account and click Continue.
Once connected, the VPN status will show as Connected under the VPN section in the Network settings. Verify the connection by accessing internal resources or running a connectivity test (e.g., ping or traceroute to an internal server).
Error and Known Issues #
Error: 404 Not Found #
Without a matching User-Agent (=“AnyConnect”), the server returns a 404 Not Found, which is misleading.
Missing “User-Agent” field #
If the NetworkManager OpenConnect is too old, the user agent cannot be entered via the GUI. The only thing that helps here is to install a current version (>1.2.10) as described above.
Useful links #
- Openconnect: Cisco AnyConnect https://www.infradead.org/openconnect/anyconnect.html
- Support SAML auth with AnyConnect https://gitlab.com/openconnect/openconnect/-/issues/84
- How to use “openconnect” (via the openconnect-sso wrapper) with SAML and Duo two-factor authentication via Okta Single-Sign-on (SSO) https://superuser.com/questions/284709/how-to-allow-local-lan-access-while-connected-to-cisco-vpn/1753172#1753172
- Send user-agent string compatible with newer Cisco servers https://gitlab.com/openconnect/openconnect/-/issues/665