This site requires JavaScript to be enabled



3.0 - Updated on 2020-09-04 by Andrey Bobyshev

2.0 - Updated on 2020-06-26 by Geoffrey Cluts

1.0 - Authored on 2019-05-02 by Rich Eckert

Intended for:

All Fermilab employees, contractors and users


Scenario/Use case:

Connect to VPN using an RSA token (hard or soft) or a YubiKey


Before you begin:

If you do not have a Fermilab-managed computer, you must be running a supported operating system (see the list of "allowed" operating systems at Fermilab's Cybersecurity's End of Life Bulletin page) and install and configure security certificates on every device (phone, tablet, laptop) on which you use for VPN before proceeding. Follow the instructions to install and configure the certificates here.  



How to connect to VPN with an RSA token

  1. Launch the Cisco AnyConnect Secure Mobility VPN Client. (See instructions on how to install software on a Fermi Owned Windows or Fermi Owned Mac Self Service.  For non-Fermi managed machines please refer to the KB0560 knowledge  article).

  2. Select Fermilab VPN and click Connect:
    1. If you installed Cisco AnyConnect on your personal machine you may see the VPN section blank when you first launch Cisco AnyConnect. If so please enter "" into the address bar. After connecting once the address will be saved as "FermilabVPN" as you can seen in the screenshot below.

  3. Select Group: SiteVPN-RSA:

  4. Next to "Username," type your Fermilab username.

  5. Next to "Password," type your SERVICES password.

  6. Next to "Second Password," type your PIN (see instructions for setting up your RSA token PIN), followed by RSA token code with no spaces in between. If you have an Android phone you may have to use a different method described below.

    1. If you have an Android phone you may have an alternative Second Password. Open the RSA app on your phone. If it does not show your token code and instead has a field that you can type into enter in your pin number and hit the arrow. This will then produce your 6 digit Token Code. That 6 digit number is your Second Password.

  7. Click OK:

  8. Click Accept on the Cisco AnyConnect banner:

  9. You will now be connected to the VPN system.


How to Connect to VPN with a YubiKey:

  1. Connect your Yubikey to the computer and wait for confirmation that it is configured.

  2. Launch the Cisco AnyConnect VPN client.

  3. Select Fermilab VPN and click Connect:

  4. Select Group: SiteVPN-YubiKey-Cert:

  5. Enter your Yubikey PIN. (See article for resetting your PIN)

  6. Click OK.

  7. Enter your SERVICES account username and password.

  8. Click OK:

  9. Click Accept on the Cisco AnyConnect banner:

  10. You will now be connected to VPN.

    NOTE:  In some cases, if you remove the Yubikey from your computer, it will disconnect you from VPN and you will have to reconnect.

 If there are any questions or issues, please contact the Service Desk.

See Also:

Getting connected to the Fermilab network
How to set up a PIN for your new RSA token
How to reset or change your PIN on an RSA token
How to reset your PIN on a YubiKey


Attachments 1. VPN Login.JPG2. RSA Login.JPG3. Yubikey Login.JPG4. Yubikey - PIN.JPG5. Yubikey - Services Login.JPG6. VPN - Accept.JPG