Yale, like many universities, has recently introduced multifactor (two-factor) authentication. This is enabled for use with all remote VPN access. Yale only officially supports Cisco’s AnyConnect client (http://its.yale.edu/how-to/article-mfa-instructions-logging-vpn-multifactor-authentication).
Fortunately, MFA still works with libopenconnect and so can be easily accessed through the GNOME or KDE network-manager clients without using Cisco AnyConnect. There’s only one complication: On attempting to connect to the vpn server, you will see a prompt with two password fields:
You need to type your own password into the first password field. Then type your preferred multifactor authentication method (“push”, “PIN”, “phone”, or “sms”) into the second password field. I have only tested “push” and it works perfectly with the DUO app on my phone (which I already set up from the webclient).
Hope this helps someone! Please feel free to post questions and I will try to answer them in the comments.
Daniel Moerner 
Great! Thank you for sharing! – I was unaware Yale’s DUO MFA works with OpenConnect!
My university just recently informed us of this, and I got my e-mail to enroll yesterday. I enrolled last night from home and tried to connect from my Ubuntu 16.04 machine but could never get it to connect. When I used “push”, I would get the request on my phone, and I approved/confirmed, but the connection never appeared to go through. By “appeared to go through”, I mean that the up and down arrows that represent my internet connection never got the padlock on top of them, and I never saw the message that the VPN connection had been successfully established. I saw both of these with our old hard-token two-factor authentication. The same thing happened whenever I used a Duo passcode or one of the 10 passcodes I received in an SMS.
That’s a weird error! I haven’t seen a problem like that with our system. Probably better contact IT and see what they say.
I did, and he was able to help me figure it out. Thanks!