You are here

Setup Procedures for HKUVPN with 2-Factor Authentication (2FA) for Linux Using Cisco AnyConnect

1. Prerequisite
2. Configuration Procedures
3. Connection Procedures

3.1 By command line
3.2 By GUI client


1. Prerequisite

  1. With effect from 4 January 2016, 2-factor authentication (2FA) by making use of HKU Portal UID/PIN and a one-time password is required for accessing the HKUVPN service. You can register to use 2FA through the online form-
  2. Staff (except visiting, honorary and hourly-paid staff who can use alternate email address only) can choose to receive the token code either through a registered alternate email address or a Mobile App.

  3. Students and departmental account holders will receive the token code via their registered alternate email address.

  4. For staff who chooses to use Mobile App, please follow the procedure at http://www.its.hku.hk/documentation/guide/infosec/2fa/app-token to install the Mobile App.

  5. Please uninstall any earlier version of Cisco AnyConnect VPN client before you start the following installation.

2. Configuration Procedures (to be done once only)

Note: The following steps are prepared based on Ubuntu 14.04.3 LTS.

  1. Download Cisco AnyConnect (VPN client) from HKU Portal-

    • Login HKU Portal (https://hkuportal.hku.hk).
    • Type "vpn" in the search field and click the searched link Download HKUVPN client.
    • Download the suitable VPN client from the page.
  2. Obtain superuser rights to run the installation script. For example-

    sudo bash

  3. Unzip the VPN client with the following command-

    tar zxvf anyconnect-<VERSION>-k9.tar.gz

    The files extracted will be saved to a directory named anyconnect-<VERSION> under the current directory.

  4. Go to VPN client directory and type the following command-

    ./vpn_install.sh

  5. You will be prompted to accept the license agreement as shown below-

    Do you accept the terms in the license agreement? [y/n]

    Press "y" and "Enter" key to accept the license agreement.

  6. After installation is completed, you will see-

    Starting Cisco AnyConnect Secure Mobility Client Agent...

    Done!

  7. Install the root CA certificates to complete the setup.

    cp /etc/ssl/certs/* /opt/.cisco/certificates/ca/

3. Connection Procedures

3.1 By command line

  1. Start the VPN client by following command-

    /opt/cisco/anyconnect/bin/vpn connect vpn2fa.hku.hk

  2. Enter your HKU Portal UID and PIN when you see the username and password command line.

    Username: <your-hku-portal-uid>

    Password: <your-password>

  3. (i) Applicable to staff/students who choose EMAIL TOKEN

    You will receive an email containing the 6-digit email token to your registered alternate email address. The token is valid for 5 minutes after its sent out time.

    email token

    (ii) Applicable to staff who choose APP TOKEN

    Please retrieve the app token from your mobile device. The token is valid for 1 minute after it is obtained.

    Note: For installation of the mobile app, please refer to http://www.its.hku.hk/documentation/guide/infosec/2fa/app-token.

    On Android devices- On iOS devices-
    • Open FortiToken Mobile.

      FortiToken Mobile

    • Open FortiToken.

      FortiToken

    • Enter your PIN of 4 digits to unlock the app.

      enter pin

    • Enter your PIN of 4 digits to unlock the app.

      enter pin

    • App token will be retrieved.

      app token

    • App token will be retrieved.

      app token

  4. Enter the 6-digit One Time Password in the Answer command line and press Enter.

    >> Authentication Message

    >> Please enter your token code:

    Answer: <6-digit One Time Password>

  5. When connected, you will see-

    >> notice: Establishing VPN...

    >> state: Connected

    >> notice: Connected to vpn2fa.hku.hk

  6. To disconnect from VPN connection, type the following command-

    /opt/cisco/anyconnect/bin/vpn disconnect

3.2 By GUI client

  1. Start the VPN client by the following command-

    /opt/cisco/anyconnect/bin/vpnui

  2. Type "vpn2fa.hku.hk" in the Connect to field and click Connect.

    Connect to vpn2fa.hku.hk and click Connect

  3. Enter your HKU Portal UID and PIN in the Username and Password fields respectively and click Connect.

    UID, PIN and click continue

  4. (i) For students and staff who choose to use email token. You will receive an email containing the 6-digit email token to your registered alternate email address. The token is valid for 5 minutes after its sent out time.

    email token

    (ii) For staff who choose to use app token, please retrieve the app token from your mobile device. The token is valid for 1 minute after it is obtained.

    Note: For installation of the mobile app, please refer to http://www.its.hku.hk/documentation/guide/infosec/2fa/app-token.

    On Android devices- On iOS devices-
    • Open FortiToken Mobile.

      FortiToken Mobile

    • Open FortiToken.

      FortiToken

    • Enter your PIN of 4 digits to unlock the app.

      enter pin

    • Enter your PIN of 4 digits to unlock the app.

      enter pin

    • App token will be retrieved.

      app token

    • App token will be retrieved.

      app token

  5. Enter the 6-digit One Time Password in the Answer box and click Continue.

    Type the Answer

  6. To disconnect from HKUVPN server, click Disconnect.

    Disconnect VPN