I am unable to connect to a GlobalProtect VPN. I start with the command: eval $( ./.local/bin/gp-saml-gui grizzvpn.oakland.edu --allow-insecure-crypto ) A web form requests my username and password and sends me a Duo push. The login succeeds and gives me a cookie to use when connecting. I then enter the command: echo $MYCOOKIE | sudo openconnect --protocol=gp --user=$MYUSERNAME --os=linux-64 --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu The login fails with: POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Attempting to connect to server 141.210.72.2:443 Connected to 141.210.72.2:443 SSL negotiation with grizzvpn.oakland.edu Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 14:33:26 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 6720 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=83c144c4-908c-4b32-889c-3c81d660f2f6; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (6720) Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete. Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD) Enter login credentials POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp Got HTTP response: HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 14:33:26 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 11407 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (11407) Portal set HIP report interval to 60 minutes). 1 gateway servers available: OU_VPN_Gateway (grizzvpn.oakland.edu) Please select GlobalProtect gateway. GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 200 OK Date: Mon, 14 Aug 2023 14:33:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 69 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=824acd3b-32ae-41a7-b8e8-e59bf37533c6; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (69) Failed to parse server response Response was: <html> <body>Error: Login fails (invalid session id)</body> </html> Failed to complete authentication Can you provide assistance, please?
Thanks! Anthony Becker | Senior Consultant Strata Information Group M 248.563.6987 O 619.296.0170 sigcorp.com | LinkedIn | Twitter _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
