Hi all I just wanted to post a quick guide on getting Bluefin working with Cisco AnyConnect and SSO. Installing the official client is difficult and personally I prefer the Gnome/KDE VPN integration using OpenConnect. This will cover Gnome but steps for KDE are similar. That being said I would recommend you avoid KDE as the OpenConnect integration has some severe bugs (forgets suburl in vpn gateway, crashes services on canceled login flows, etc…).
Step 1: Gather Information
Cisco AnyConnect has a very convenient, for your systems administrators, feature that auto updates the client on VPN connection/login. This works well in Microsoft Windows, using the official client, but causes the VPN connection to fail in OpenConnect. To get around this you need to get the version string of the latest windows client that your VPN server expects. You can get this from a Windows install or ask your Cisco AnyConnect administrator. We will use this as part of the “User Agent” value later.
Step 2: Create the VPN
Use gnome settings to create a new “Cisco Anyconnect or OpenConnect” VPN. Fill in the defaults it asks for. Then go back and edit the VPN entry. In the Identity tab, update the following fields replacing the version with the one you got from step 1:
- User Agent = AnyConnect Windows 5.1.10.233
- Reported OS = win
For the IPv4/IPv6 tabs there is the option to “Use this connection only for resources on its network”. If your VPN is setup as a split tunnel, ask your Cisco AnyConnect admin, then make sure to check this box in both tabs. If your VPN does something dumb like drop all IPv6 traffic then you can set your IPv6 Method to “Disable” and avoid potential routing+DNS issues.
Step 3: Get a newer version of OpenConnect
If you try to connect after completing step 2 you should get your expected SSO login popup but after successful sign-in you’ll get a connection failed error. Checking journalctl (sudo journalctl -u NetworkManager.service) you will likely see the following:
Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Unauthorized
Creating SSL connection failed
Cookie was rejected by server; exiting.
This is due to a bug in OpenConnect that was fixed a few years ago. I’m not sure if the fault is Fedora for not updating or OpenConnect for not tagging a new version. Regardless the version of OpenConnect shipped with Fedora 43 does not contain the fix. To get around this we will update the openconnect package in the Bluefin base image to correct this.
OpenConnect has bleeding edge builds in fedora copr that we can use to do this (https://copr.fedorainfracloud.org/coprs/dwmw2/openconnect/). Now we can’t just enable the repo and run an rpm-ostree upgrade as that will just pull the latest bluefin image and not actually do dnf/rpm updates. We also cannot do a rpm-ostree install as openconnect is already in the bluefin image. Instead we will use rpm-ostree override but this only works with downloaded RPM files and not an enabled repo. So download the latest Fedora 43 (or whatever Fedora version your on) build from the previously linked copr repo. Then, run the following command replacing the file name with your downloaded rpm file:
rpm-ostree override replace openconnect-9.12.git.255.0dcdff8-0.fc43.x86_64.rpm
Once that completes reboot and you should now have a working Cisco AnyConnect SSO enabled VPN connection through the Gnome GUI.
Fedora Major Version Upgrades Note
If you follow this guide, please note that you will need to track when your bluefin install updates to newer Fedora major versions (43 → 44 and whatever the LTS is). You will need to remove the override before updating, test the newer version, and if the fixed OpenConnect isn’t included redo the override with the correct RPM for the new Fedora major version.
Let me know if this was helpful! Also, here’s to hoping rpm-ostree sticks around for a little while longer as I’m not sure if this is possible using the newer bootc only.
