VPN with MFA «passwordless»

See also this project: https://github.com/matteocorti/vpn_eth

In both cases (macOS or Linux), extend your PATH as follow:

[ ! -d ~/bin ] && mkdir ~/bin
export PATH=" $H O M E / b i n :$ {PATH}"

and also add the export command in you shell configuration (ex. ~/.zsh, ~/.bash_profile, ~/.bashrc).

Setup for macOS with Cisco Secure Client

Step 1

Install the oathtool tool, needed to generate the OTP code from command line:

# with MacPorts
sudo port install oath-toolkit

# with Homebrew (not yet tested)
brew install oath-toolkit

# from Source
curl -s -L -O https://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6.11.tar.gz
tar xf oath-toolkit-2.6.11.tar.gz
cd oath-toolkit-2.6.11
./configure
make
cp -a oathtool/{oathtool,.libs} ~/bin

Step 2

Save your VPN Password to your Keychain Access as follow:

U="your_username"
security add-generic-password -a  $U - s e t h v p n - l " E T H V P N p a s s w o r d f o r$ U" -U -w

==> Enter your ETH WiFi/VPN password

Step 3

Save your OTP Secret (see below About the «OTP Secret») to your Keychain Access as follow:

U="your_username"
security add-generic-password -a  $U - s e t h o t p - l " E T H O T P s e c r e t f o r$ U" -U -w

==> Enter your ETH OTP secret

Step 4

Create a script called vpn in your ~/bin like this:

#! /bin/bash

USER="your_username"; # <--- change this with your ETH username

VPN_SERVER="sslvpn.ethz.ch";
VPZ_NAME="math-guest";
REALM="math-guest";
VPN_PASSWORD=" $(s e c u r i t y f i n d - g e n e r i c - p a s s w o r d - a$ USER -s ethvpn -w)";
OTP_SECRET=" $(s e c u r i t y f i n d - g e n e r i c - p a s s w o r d - a$ USER -s ethotp -w)";
OTP_CODE=" $(o a t h t o o l - - t o t p = s h a 1 - - t i m e - s t e p - s i z e = 30 - b "$ {OTP_SECRET}")";
VPN="/opt/cisco/secureclient/bin/vpn"

case  $1 i n c) i f$ {VPN} -s status | grep -q Disconnected; then
            echo -e " $U S E R @$ {REALM}.ethz.ch\n $V P N_{P} A S S W O R D \n$ {OTP_CODE}\n" |  $V P N - s c o n n e c t h t t p s : / /$ {VPN_SERVER}/ $V P Z_{N} A M E; o p e n - a " C i s c o S e c u r e C l i e n t "; e l s e e c h o " => a l r e a d y c o n n e c t e d "; f i;; d) i f$ {VPN} status | grep -q Connected; then
             $V P N d i s c o n n e c t; e l s e e c h o " => a l r e a d y d i s c o n n e c t e d f r o m "; f i;; i)$ {VPN} status;;
    *)
        echo;
        echo "  Usage: <c|d|i>";
        echo "  c : connect";
        echo "  d : disconnect";
        echo "  i : info";
        echo;
        exit;
esac;

and set the correct permissions:

chmod 700 ~/bin/vpn

Setup for Linux with OpenConnect

I'm working on it...

Usage

Start VPN:

vpn c

Stop VPN:

vpn d

Check if VPN is running or not:

vpn i

About the «OTP Secret»

You get your OTP Secret when you register the first time for MFA (Multi-Factor-Authentication) as shown in the following screenshot: