1. Prerequisite
- MFA authentication (MFA) is required for accessing the HKUVPN service.
- Only the Microsoft Authenticator App or SMS (Phone Text) are supported as sign-in methods for logging into the HKUVPN service. The phone call method is NOT compatible with HKU VPN. Please refer to the appendix for instructions on changing your default sign-in method to a supported option.
- Remove any existing VPN client before installation:
- If you have an earlier version of Cisco AnyConnect or Cisco Secure Client installed, uninstall it first.
- If a script-based installation was previously used, remove it with the following command:
sudo sh /opt/cisco/secureclient/bin/vpn_uninstall.sh
2. Configuration Procedures (to be done once only)
The following steps are illustrated using Ubuntu 24.04.
- Download the VPN client for Linux, ensuring that you select the correct package type for your system.
- Open a terminal window and navigate to the download folder
- Install the VPN client
- For DEB-based systems (Ubuntu/Debian):
sudo dpkg -i ./cisco-secure-client-vpn_<version>.deb
- For DEB-based systems (Ubuntu/Debian):
- For RPM-based systems (RHEL/CentOS/AlmaLinux/Rocky):
sudo rpm -i ./cisco-secure-client-vpn_<version>.rpm
- For RPM-based systems (RHEL/CentOS/AlmaLinux/Rocky):
- After installation, the client will be installed at /opt/cisco/secureclient/
3. Connection Procedures
3.1 By command line
- Start the VPN client by following command-
/opt/cisco/secureclient/bin/vpn connect vpn2fa.hku.hk - Enter your HKU email address (UID@hku.hk or UID@connect.hku.hk) and PIN when you see the username and password command line.
- (i) For users who choose Microsoft Authenticator App as the default sign-in method (The most common method):
- Open the Microsoft Authenticator app on your mobile device.
- Retrieve the One-time password (OTP).
(ii) For users who choose SMS (Phone Text) as the default sign-in method: - You will receive an SMS containing the One-time password (OTP) on your registered phone number.
- The OTP is valid for 3 minutes from the time it is sent. Retrieve the OTP from the SMS.
- Enter the 6-digit One Time Password (OTP) in the Answer command line and press Enter.
- When connected, you will see-
- To disconnect from VPN connection, type the following command-
| Username: Password: |
| >> Authentication Message >> Please enter your token code: Answer: <6-digit One Time Password> |
| >> notice: Establishing VPN… >> state: Connected |
| /opt/cisco/secureclient/bin/vpn disconnect |
3.2 By GUI client
- Start the VPN client by the following command-
- Type “vpn2fa.hku.hk” in the Connect to field and click Connect.
- Enter your HKU email address (UID@hku.hk or UID@connect.hku.hk) and PIN in the Username and Password fields respectively and click Connect.
- (i) For users who choose Microsoft Authenticator App as the default sign-in method (The most common method):
- Open the Microsoft Authenticator app on your mobile device.
- Retrieve the One-time password (OTP).
- You will receive an SMS containing the One-time password (OTP) on your registered phone number.
- The OTP is valid for 3 minutes from the time it is sent. Retrieve the OTP from the SMS.
- Enter the 6-digit One Time Password (OTP) in the Answer box and click Continue.
- To disconnect from HKUVPN server, click Disconnect.
| /opt/cisco/secureclient/bin/vpnui |
Appendix: (Optional Step) Updating the Default Sign-in Method in MFA
- Visit your Microsoft 365 account settings at https://myaccount.microsoft.com/
- Sign in using your HKU credentials.
- Go to the “Security info” section.
- Set “App-based authentication – Notification” as your default sign-in method under the section titled “You’re using the most advisable sign-in method where it applies.”
