Hi Daniel - Thank you for the follow up. My most recent attempt to connect to this VPN was NOT successful. I've included more verbose output in case it will help. I've hidden my cookie and userid values.
First, I downloaded and built the most recent version of openconnect: sshuser@oakvpn:~$ /vpn/openconnect-master/openconnect --version OpenConnect version v9.12-unknown Using GnuTLS 3.7.3. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script Next, I ran gp-saml-gui to collect my credentials. Since I am connecting to a gateway, I tried the gateway option first: sshuser@oakvpn:~$ eval $( ./.local/bin/gp-saml-gui --gateway --allow-insecure-crypto --verbose --clientos=Windows grizzvpn.oakland.edu ) Looking for SAML auth tags in response to https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp... usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Mac,Windows,Linux}] [-f EXTRA] [--allow-insecure-crypto] [--user-agent USER_AGENT] server [openconnect_extra ...] gp-saml-gui: error: Gateway prelogin response does not contain SAML tags (<saml-auth-method> or <saml-request> missing) Things to try: 1) Spoof an officially supported OS (e.g. --clientos=Windows or --clientos=Mac) 2) Check in browser: https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Windows That did not work. Here is what the browser returned from that URL: <prelogin-response> <status>Success</status> <ccusername/> <autosubmit>false</autosubmit> <msg/> <newmsg/> <license>yes</license> <authentication-message>Enter login credentials</authentication-message> <username-label>Username</username-label> <password-label>Password</password-label> <panos-version>1</panos-version> <saml-default-browser>yes</saml-default-browser> <auth-api>no</auth-api> <region>US</region> </prelogin-response> Then I switched to the portal option: sshuser@oakvpn:~$ eval $( ./.local/bin/gp-saml-gui --portal --allow-insecure-crypto --verbose --clientos=Windows grizzvpn.oakland.edu ) Looking for SAML auth tags in response to https://grizzvpn.oakland.edu/global-protect/prelogin.esp... Got SAML POST, opening browser... [REQUEST] Request for resource about:blank Traceback (most recent call last): File "/home/sshuser/.local/lib/python3.10/site-packages/gp_saml_gui.py", line 127, in on_load_changed ct = h.get_content_type() AttributeError: 'NoneType' object has no attribute 'get_content_type' [REQUEST] POST for resource https://sso.oakland.edu/idp/profile/SAML2/POST/SSO [REQUEST] GET for resource https://sso.oakland.edu/idp/css/main.css [REQUEST] GET for resource https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js [REQUEST] GET for resource https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js [REQUEST] GET for resource https://sso.oakland.edu/idp/images/oulogo.png [PAGE ] Finished loading page https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1 [SAML ] No headers in response, searching body for xml comments [SAML ] Found comment in response body: ' end container div ' [SAML ] Found comment in response body: ' end cas-header header ' [SAML ] Found comment in response body: ' Login form ' [SAML ] Finished parsing response body for https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1 [REQUEST] POST for resource https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/css/v3/base.css?v=39c22 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/plugin-detect/plugin-detect.min.css?v=01376 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery-prologue.js?v=400dc [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery.min.js?v=ff152 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/js/lib/jquery-postmessage.min.js?v=98c73 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/plugin-detect/plugin-detect.min.js?v=6a394 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/js/page/preauth.js?v=154e6 [REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery-epilogue.js?v=c4ac5 [PAGE ] Finished loading page https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ [SAML ] No headers in response, searching body for xml comments [SAML ] Found comment in response body: ' CSS ' [SAML ] Found comment in response body: ' Javascript ' [SAML ] Finished parsing response body for https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ [REQUEST] POST for resource https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ [PAGE ] Finished loading page https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s2&_eventId_proceed=1 [SAML ] No headers in response, searching body for xml comments [SAML ] Finished parsing response body for https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s2&_eventId_proceed=1 [REQUEST] POST for resource https://grizzvpn.oakland.edu/SAML20/SP/ACS [PAGE ] Finished loading page https://grizzvpn.oakland.edu/SAML20/SP/ACS [SAML ] Got SAML result headers: {'prelogin-cookie': $COOKIE', 'saml-auth-status': '1', 'saml-slo': 'yes', 'saml-username': '$USER'} [SAML ] Got all required SAML headers, done. IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both. SAML response converted to OpenConnect command line invocation: echo $COOKIE | sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu SAML response converted to test-globalprotect-login.py invocation: test-globalprotect-login.py --user=$USER --clientos=Windows -p '' \ https://grizzvpn.oakland.edu/global-protect/getconfig.esp prelogin-cookie=$COOKIE The message about the cookie being for the gateway interface was interesting. I went ahead with portal invocation: sshuser@oakvpn:~$ echo $COOKIE | sudo /vpn/openconnect-master/openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin --verbose grizzvpn.oakland.edu POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows Attempting to connect to server 141.210.72.2:443 Connected to 141.210.72.2:443 SSL negotiation with grizzvpn.oakland.edu Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:12:05 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 6720 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=f651bcbf-da14-4fb3-abc5-6a5b490d376f; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (6720) Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete. Enter login credentials POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:12:05 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 11408 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=a647e797-4e98-4e9c-b79b-7c3c3663ba36; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (11408) Portal reports GlobalProtect version 6.1.1-5; we will report the same client version. Portal set HIP report interval to 60 minutes). 1 gateway servers available: OU_VPN_Gateway (grizzvpn.oakland.edu) Please select GlobalProtect gateway. GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:12:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 69 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=a647e797-4e98-4e9c-b79b-7c3c3663ba36; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (69) Failed to parse non-XML server response Response was: Error: Login fails (invalid session id) Failed to complete authentication OK, that didn't work. Since the cookie is no good any more, I ran gp-saml-gui again with the portal option to get a new cookie, and then tried openconnect again with the gateway invocation: sshuser@oakvpn:~$ echo $COOKIE | sudo /vpn/openconnect-master/openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin --verbose grizzvpn.oakland.edu POST https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows Attempting to connect to server 141.210.72.2:443 Connected to 141.210.72.2:443 SSL negotiation with grizzvpn.oakland.edu Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:21:35 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 497 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (497) Enter login credentials POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp Got HTTP response: HTTP/1.1 200 OK Date: Tue, 22 Aug 2023 14:21:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 69 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (69) Failed to parse non-XML server response Response was: Error: Login fails (invalid session id) Failed to complete authentication I hope that's helpful. Please let me know if you need additional information. Thanks! Anthony On 8/21/23, 5:20 PM, "Daniel Lenski" <dlen...@gmail.com <mailto:dlen...@gmail.com>> wrote: CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders. On Thu, Aug 17, 2023 at 11:04 AM Anthony Becker <abec...@sigcorp.com <mailto:abec...@sigcorp.com>> wrote: > Hi Daniel – > > Here is the openconnect version output: > > sshuser@oakvpn:~$ openconnect --version > OpenConnect version v8.20-1 > Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, > HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP > Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array > Default vpnc-script (override with --script): > /usr/share/vpnc-scripts/vpnc-script > > Neither “--clientos=Windows” nor “--usergroup=gateway:prelogin-cookie” worked > for me – I received the same error messages as before. Got it. Subsequent to the v8.20 release, we've made several small improvements to the GlobalProtect authentication-handling code. In particular, https://gitlab.com/openconnect/openconnect/-/commit/51586b29 <https://gitlab.com/openconnect/openconnect/-/commit/51586b29>. 14:15 $ git log --decorate=no --oneline v8.20..v9.12 auth-globalprotect.c https://gitlab.com/openconnect/openconnect/-/commit/bf4338c6 <https://gitlab.com/openconnect/openconnect/-/commit/bf4338c6> Ignore blank labels sent in GlobalProtect prelogin https://gitlab.com/openconnect/openconnect/-/commit/c0d2daea <https://gitlab.com/openconnect/openconnect/-/commit/c0d2daea> Save GlobalProtect version reported by portal and parrot it back as client version https://gitlab.com/openconnect/openconnect/-/commit/27284f83 <https://gitlab.com/openconnect/openconnect/-/commit/27284f83> Prevent crash on unexpected response for GlobalProtect portal prelogin XML https://gitlab.com/openconnect/openconnect/-/commit/ce214b87 <https://gitlab.com/openconnect/openconnect/-/commit/ce214b87> Expand comment about potentially-useful information in GP portal configuration https://gitlab.com/openconnect/openconnect/-/commit/9164e21e <https://gitlab.com/openconnect/openconnect/-/commit/9164e21e> Clearer error message when GlobalProtect portal configuration contains no gateways at all https://gitlab.com/openconnect/openconnect/-/commit/51586b29 <https://gitlab.com/openconnect/openconnect/-/commit/51586b29> GP: add 'internal=no' flag to the login and configuration requests https://gitlab.com/openconnect/openconnect/-/commit/07386df8 <https://gitlab.com/openconnect/openconnect/-/commit/07386df8> No embedded URLs in translatable strings https://gitlab.com/openconnect/openconnect/-/commit/c58464a8 <https://gitlab.com/openconnect/openconnect/-/commit/c58464a8> Declare C string constants using array syntax https://gitlab.com/openconnect/openconnect/-/commit/ff13a983 <https://gitlab.com/openconnect/openconnect/-/commit/ff13a983> GP SAML: support legacy workflow https://gitlab.com/openconnect/openconnect/-/commit/3d0a3247 <https://gitlab.com/openconnect/openconnect/-/commit/3d0a3247> GP SAML: handle redirect case https://gitlab.com/openconnect/openconnect/-/commit/a287bc00 <https://gitlab.com/openconnect/openconnect/-/commit/a287bc00> GP SAML: fix some memory handling https://gitlab.com/openconnect/openconnect/-/commit/c4c813ec <https://gitlab.com/openconnect/openconnect/-/commit/c4c813ec> start adding GP SSO support There's no guarantee that any of this will make a difference for your issue (as I said before, I haven't seen that exactly error message), but I would still recommend building and testing OpenConnect v9.12. Please let us know if you get same/different results with v9.12. Daniel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
