GlobalProtect gateway authorization fails

Mon, 21 Jun 2021 10:22:07 -0700 

On Gentoo Linux:

$ gp-saml-gui --portal -S --clientos=Windows <my-vpn>

produces

...
[SAML   ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but
received a cookie that's often associated with the gateway interface.
You should probably try both.

SAML response converted to OpenConnect command line invocation:

    echo <cookie> |
        sudo openconnect --protocol=gp '--user=<user>' --os=win
--usergroup=portal:prelogin-cookie --passwd-on-stdin <my-vpn>
...
Portal set HIP report interval to 60 minutes).
8 gateway servers available:
  US Southwest (us-southwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Northwest (us-northwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US West (us-west-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Southeast (us-southeast-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US East (us-east-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US South (us-south-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Northeast (us-northeast-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Central (us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
GATEWAY: [US Southwest|US Northwest|US West|US Southeast|US East|US
South|US Northeast|US Central]:fgets (stdin): Resource temporarily
unavailable

$ gp-saml-gui --portal -S --clientos=Windows <my-vpn> --
--authgroup='US Central'

produces

...
Connected to HTTPS on <my-vpn> with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
POST https://<my-vpn>/global-protect/getconfig.esp
Portal set HIP report interval to 60 minutes).
8 gateway servers available:
  US Southwest (us-southwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Northwest (us-northwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US West (us-west-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Southeast (us-southeast-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US East (us-east-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US South (us-south-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Northeast (us-northeast-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
  US Central (us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
POST 
https://us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to <ip>
SSL negotiation with us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com
Connected to HTTPS on
us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com with
ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
prelogin-cookie:
fgets (stdin): Inappropriate ioctl for device

Any hints on getting openconnect to work with <my-vpn> will be
gratefully received.

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to