Setup Procedures for HKUVPN with Multi-Factor Authentication (MFA) for Linux

1. Prerequisite

  1. MFA authentication (MFA) is required for accessing the HKUVPN service.
  2. Only the Microsoft Authenticator App or SMS (Phone Text) are supported as sign-in methods for logging into the HKUVPN service. The phone call method is NOT compatible with HKU VPN. Please refer to the appendix for instructions on changing your default sign-in method to a supported option.
  3. Please uninstall any earlier version of Cisco Anyconnect VPN or Cisco Secure Client from your PC before you start the following installation.

2. Configuration Procedures (to be done once only)

The following steps are illustrated using Ubuntu 23.04.
  1. Download the VPN client for Linux from here.
  2. Obtain superuser rights to run the installation script. For example-
  3. sudo bash
  4. Unzip the VPN client with the following command-
  5. tar zxvf cisco-secure-client-linux64-*.tar.gz
  6. The files extracted will be saved in a directory with a name that begins with “cisco-secure-client-linux64-“ under the current directory.
  7. Go to the VPN client directory named “cisco-secure-client-linux64-*/vpn/” and enter the following command:
  8. ./vpn_install.sh
  9. You will be prompted to accept the license agreement as shown below-
  10. Do you accept the terms in the license agreement? [y/n]
  11. Press “y”and “Enter” key to accept the license agreement.
  12. After installation is completed, you will see-
  13. Starting Cisco Secure Client Agent…
    Done!

3. Connection Procedures

3.1 By command line

  1. Start the VPN client by following command-
  2. /opt/cisco/secureclient/bin/vpn connect vpn2fa.hku.hk
  3. Enter your HKU email address (UID@hku.hk or UID@connect.hku.hk) and PIN when you see the username and password command line.
  4. Username: Password:
  5. (i) For users who choose Microsoft Authenticator App as the default sign-in method (The most common method):
    • Open the Microsoft Authenticator app on your mobile device.
    • Retrieve the One-time password (OTP).

      Retrieve the One-time password (OTP).
    (ii) For users who choose SMS (Phone Text) as the default sign-in method:
    • You will receive an SMS containing the One-time password (OTP) on your registered phone number.
    • The OTP is valid for 3 minutes from the time it is sent. Retrieve the OTP from the SMS.

      The OTP is valid for 3 minutes from the time it is sent. Retrieve the OTP from the SMS.
  6. Enter the 6-digit One Time Password (OTP) in the Answer command line and press Enter.
  7. >> Authentication Message >> Please enter your token code: Answer: <6-digit One Time Password>
  8. When connected, you will see-
  9. >> notice: Establishing VPN… >> state: Connected
  10. To disconnect from VPN connection, type the following command-
  11. /opt/cisco/secureclient/bin/vpn disconnect

3.2 By GUI client

  1. Start the VPN client by the following command-
  2. /opt/cisco/secureclient/bin/vpnui
  3. Type “vpn2fa.hku.hk” in the Connect to field and click Connect.

    Type “vpn2fa.hku.hk” in the Connect to field and click Connect.
  4. Enter your HKU email address (UID@hku.hk or UID@connect.hku.hk) and PIN in the Username and Password fields respectively and click Connect.

    Enter your HKU email address (UID@hku.hk or UID@connect.hku.hk) and PIN in the Username and Password fields respectively and click Connect.
  5. (i) For users who choose Microsoft Authenticator App as the default sign-in method (The most common method):
    • Open the Microsoft Authenticator app on your mobile device.
    • Retrieve the One-time password (OTP).

      Retrieve the One-time password (OTP).
     (ii) For users who choose SMS (Phone Text) as the default sign-in method:
    • You will receive an SMS containing the One-time password (OTP) on your registered phone number.
    • The OTP is valid for 3 minutes from the time it is sent. Retrieve the OTP from the SMS.

      The OTP is valid for 3 minutes from the time it is sent. Retrieve the OTP from the SMS.
  6. Enter the 6-digit One Time Password (OTP) in the Answer box and click Continue.

    Enter the 6-digit One Time Password (OTP) in the Answer box and click Continue.
  7. To disconnect from HKUVPN server, click Disconnect.

    To disconnect from HKUVPN server, click Disconnect.

Appendix: (Optional Step) Updating the Default Sign-in Method in MFA

  1. Visit your Microsoft 365 account settings at https://myaccount.microsoft.com/
  2. Sign in using your HKU credentials.
  3. Go to the “Security info” section.
  4. Set “App-based authentication – Notification” as your default sign-in method under the section titled “You’re using the most advisable sign-in method where it applies.“
0
0