On Tue, Dec 14, 2021 at 1:47 PM Dev Faye <dev.laminef...@gmail.com> wrote: > I'm not a programmer at all? Though, it's been nearly 1 week I'm going > back and forth, trying to get at least one VPN client working on my > virtual machine. I've tried built-in VPN, CheckPointCapsule, > GlobalProtectUWP, GlobalProtect MacOS client, no success. Plus, I > didn't succeed deploying gp-saml-gui, due to repetitive python > dependencies I couldn't solve :(
I assume you're the same person who started this thread, asking for help getting gp-saml-gui working? https://gitlab.com/openconnect/openconnect/-/issues/53#note_766233185 > Now back to OpenConnect. Exactly what are you trying to do or illustrate here? I *think* that what you are doing is trying to "manually" follow the SAML login behavior since you can't use gp-saml-gui to automate it… 1. Use `openconnect` to fetch the SAML login URL 2. Open that URL in a browser 3. Follow the auth forms, and inspect their source, until you get either a 'prelogin-cookie' or a 'portal-userauthcookie' (https://github.com/dlenski/gp-saml-gui/blob/master/gp_saml_gui.py#L131) from the server 4. Plug that cookie back into OpenConnect to finish the login So… *is* that what you're trying to do? I can't be sure. Assuming that *is* what you're trying to do, your last command is the most close-to-correct one. You can tell that because it gets further than all the preceding ones. It's the only one that doesn't "fail to complete authentication." Instead it fails like this: > C:\Program Files\OpenConnect>openconnect --protocol=gp --usergroup=gateway:prelogin-cookie --user=91000318@CORP --os=windows --passwd-on-stdin --cookie-on-stdin -vvv --verbose … POST https://fr.ras.biomerieux.com/ssl-vpn/getconfig.esp … Response was: errors getting SSL/VPN config The reason this one is failing is because it doesn't like something about the client parameters. Usually, specifying the wrong OS is the culprit. GlobalProtect servers are maddeningly stupid, inconsistent, and vague about reporting this (https://gitlab.com/openconnect/openconnect/-/commit/e2f574a5f5f06a2364ff65f7a13721f79bf4beef for more examples), so it's very hard to give an error message that clearly identifies the root cause. What you've specified, `--os=windows`, is not a value that OpenConnect understands; per the manual, (https://www.infradead.org/openconnect/manual.html), `--os=win` is the legal value. Does that work? We should improve OpenConnect by giving the user an error message if an illegal value is specified for `--os=...`, to make it easier to detect this problem. Changes to do this: https://gitlab.com/openconnect/openconnect/-/merge_requests/310 -Dan > > Now back to OpenConnect. > > Platform : Windows11 on ARM, hosted on a ParallelsDesktop17 VM > installed on MacOS 12.1 on ARM > OpenConnect version v8.10-727-gbd6a7e71 > My company authentication requires SAML with 2FA. > > =============================================__________________=_____________________============================================= > first > C:\Program Files\OpenConnect>openconnect --protocol=gp > --usergroup=portal --user=91000318@CORP --os=windows --passwd-on-stdin > portal.ras.biomerieux.com > ||myPassword|| > POST > https://portal.ras.biomerieux.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows > Connected to 193.240.245.231:443 > SSL negotiation with portal.ras.biomerieux.com > Connected to HTTPS on portal.ras.biomerieux.com with ciphersuite > (TLS1.2)-(RSA)-(AES-256-GCM) > SAML REDIRECT authentication is required via > https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFPT8MwDMW%2FSpX7mjRtmbDWSmU7MGmIai0cuKCsNSxSm5Q4Rfv4dBuIP4dJHC0%2FPz%2F%2FvCDVdwMUo9%2BbLb6NSD449J0hODUyNjoDVpEmMKpHAt9AVdxtQIYCBme9bWzHgoIIndfWLK2hsUdXoXvXDT5sNxnbez8QcD5Y51UXOkXhTttJpHE8hI3tIUlifnSVglclL5YVC1ZTEm3U0fPbQU0x%2F8xy1b4Q74izYL3K2HNyJVGKWCQtYpymSmEaqyaOcNe08%2FhaTjKiEdeGvDI%2BY1LIaBbJWZTUUkAyB5E%2BsaD8vOxGm1ab18sYdmcRwW1dl7PyvqpZ8IiOTtEnAcsXR5hwWux%2B4L1sq76YsvyfBBf8x778XP3%2Bcf4B&RelayState=dBNlABd8MWBhYWNjYWQxMDNkZDA5MDFlOTc0NjE5NDQ1NGM0NmIwNg%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=Tie5OOdnOBxSW5ROLcA0hoxrjDf2%2FPYMgFiuTP1cGZWrCistZ9LiuJsmjIWZmv74VF%2F38wJN7Z8q6JO3GMP%2Fpu4lR360HQMh6liR06mepWvWacktgtbEiDF5F6OlE7icedJDdgemJ1LuuAS7pxSS1oHz1dXS6tI%2B4EAb0Bc24iyCZRIbse5jwmljZcp9MnDzJv86ibtI%2FSl%2B7bYaG94Vc53syLsexQj%2FDZ%2F9tV8ZFJz5j1gleVQlsHUm2YwKF3Nxkfv%2BCLrn128nQC%2B17WBloQmEcftY3szjbCEVv5z9qFwQhrHT6hB7d4Y%2Fu5fq9G4VMKSuDV0AJHC%2B5aAJmGvg2A%3D%3D > When SAML authentication is complete, specify destination form field > by appending :field_name to login URL. > Failed to complete authentication > > then > C:\Program Files\OpenConnect>openconnect --protocol=gp > --usergroup=portal:prelogin-cookie --user=91000318@CORP --os=windows > --passwd-on-stdin --cookie-on-stdin portal.ras.biomerieux.com > ||myPassword|| > uRCVTTz/E/kAGrw9y+PGRapC0o0RvSww2n957aU8ysipJ1JasFhJ2CChMlupz/u/ > POST https://portal.ras.biomerieux.com/ssl-vpn/getconfig.esp > Connected to 193.240.245.231:443 > SSL negotiation with portal.ras.biomerieux.com > Connected to HTTPS on portal.ras.biomerieux.com with ciphersuite > (TLS1.2)-(RSA)-(AES-256-GCM) > Failed to parse server response > Creating SSL connection failed > Cookie was rejected by server; exiting. > > > =============================================__________________=_____________________============================================= > > Now trying directly with gateway, as supposed after reading this > exchange : https://github.com/dlenski/openconnect/issues/109 and > https://githubmemory.com/repo/dlenski/gp-saml-gui/issues/6?page=2 > > C:\Program Files\OpenConnect>openconnect --protocol=gp > --usergroup=gateway --user=91000318@CORP --os=windows > --passwd-on-stdin -vvv --verbose fr.ras.biomerieux.com > ||myPassword|| > POST > https://fr.ras.biomerieux.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows > Attempting to connect to server 193.240.245.231:443 > Connected to 193.240.245.231:443 > SSL negotiation with fr.ras.biomerieux.com > Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite > (TLS1.2)-(RSA)-(AES-256-GCM) > Got HTTP response: HTTP/1.1 200 OK > Date: Tue, 14 Dec 2021 21:09:35 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 1898 > Connection: keep-alive > ETag: "174a5f6b6d78" > Pragma: no-cache > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Expires: Thu, 19 Nov 1981 08:52:00 GMT > X-FRAME-OPTIONS: DENY > Set-Cookie: CLIENTOS=V2luZG93cw%3D%3D; expires=Wed, 15-Dec-2021 > 21:09:35 GMT; path=/ > Set-Cookie: PHPSESSID=0880871e81c6441ef81e572003f3ea5f; secure; HttpOnly > ||several other similar lines|| > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block; > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' > 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (1898) > SAML REDIRECT authentication is required via > https://auth.biomerieux.com/adfs/ls/?SAMLRequest=lZFBT8MwDIX%2FSpX7mibtGLPWSmU7MGmIai0cuKAsyVikNhlxivbz6TYQg8Mkjpafn58%2Fz1B07R7KPuzsWr%2F3GkN06FqLcGrkpPcWnECDYEWnEYKEunxYAY8T2HsXnHQtiUpE7YNxdu4s9p32tfYfRuqn9SonuxD2CJRufewFxhvjBoHR%2FSGWroMsS%2BnRkSe0rmg5r0m0GFIYK45%2BP9NiiPhnlgq1RdoiJdFykZNXxcVGZVLcbseKT3Si5YTJKVPpDctSriaDDLHXS4tB2JATnnA2YnzEsoYzSKaQjl9IVH1ddWesMvbtOoLNWYRw3zTVqHqsGxI9a4%2Bn6IOAFLMjSDgt9hdor9uKb56k%2BAe9Gb3YVZyr378tPgE%3D&RelayState=cRRlABd8MWAwODgwODcxZTgxYzY0NDFlZjgxZTU3MjAwM2YzZWE1Zg%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=n6V76Z64gATvQVZZxV%2F0NERv488lrth7AKv7S3j8Pv4K8SVn3rEch5ScYG3sVjfB8FGrIEFlB2QPjNuU9KJ3Xs4MPOgAW3pU8b11xulAUgMyNZ4n4M3GY5b%2BvBGPesNYiDU57sgO5oC0aDNxWnEYg9KT3ocGRr0EURbIv%2BcxFWi6J%2FGca3CM1%2F7jwWTd4%2FLLvxYDjj0tXYnLJD9ysxphKCp0swBibwchUinnHtqTtFskdPnaHRyMBHeAovypgYpKOGars8ZK6pruaCS8ZpWQyF1S2TLh8usimgF2BebFRkqHaSfZ0ct8mqH39BgRtvxBsdPJpwIbO9tbF7HcUXu0Sg%3D%3D > When SAML authentication is complete, specify destination form field > by appending :field_name to login URL. > Failed to complete authentication > > then > C:\Program Files\OpenConnect>openconnect --protocol=gp > --usergroup=gateway:prelogin-cookie --user=91000318@CORP --os=windows > --passwd-on-stdin --cookie-on-stdin -vvv --verbose > fr.ras.biomerieux.com > ||myPassword|| > hFhPAtkWmmGu8YSvsQnhAxTK40U+GlqcfpYpc5tO+ZyHI44JyQXwIgn4/IANiHiy > POST https://fr.ras.biomerieux.com/ssl-vpn/getconfig.esp > Attempting to connect to server 193.240.245.231:443 > Connected to 193.240.245.231:443 > SSL negotiation with fr.ras.biomerieux.com > Connected to HTTPS on fr.ras.biomerieux.com with ciphersuite > (TLS1.2)-(RSA)-(AES-256-GCM) > Got HTTP response: HTTP/1.1 200 OK > Date: Tue, 14 Dec 2021 21:12:06 GMT > Content-Type: application/xml; charset=UTF-8 > Content-Length: 29 > Connection: keep-alive > ETag: "1f35f6b6d78" > Pragma: no-cache > Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 > Expires: Thu, 19 Nov 1981 08:52:00 GMT > X-FRAME-OPTIONS: DENY > Set-Cookie: PHPSESSID=e054287b91c458b54033807b5fc44177; secure; HttpOnly > Strict-Transport-Security: max-age=31536000; > X-XSS-Protection: 1; mode=block; > X-Content-Type-Options: nosniff > Content-Security-Policy: default-src 'self'; script-src 'self' > 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; > HTTP body length: (29) > Failed to parse server response > Response was: errors getting SSL/VPN config > Creating SSL connection failed > Cookie was rejected by server; exiting. > > =============================================__________________=_____________________============================================= > > I'm once again stuck without any lead to move forward. Discussions > seen on forums does seem to help parsing the server response. > > Any help or suggestion you may have ? > > Thanks ! > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
