Re: Openconnect - Palo Alto - Okta SSO / MFA
After digging around i THINK its a part of this? https://github.com/arthepsy/pan-globalprotect-okta/ I downloaded it added the totp of that moment, removed pw to prompt me instead of conf and i get the below from debug = 1. My "Guess" if this worked its to be used against the command i sent prior and piped into the openconnect cmd? --- # status: MFA_REQUIRED --- err: no factor url found From: Daniel Lenski <dlen...@gmail.com> Sent: Friday, April 13, 2018 2:23 AM To: Luis l Cc: David Woodhouse; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
Example or I just didnt have enough coffee script_that_obtains_the_portal_userauthcookie ? cant find that and dont think thats an actual file From: Daniel Lenski <dlen...@gmail.com> Sent: Friday, April 13, 2018 2:23 AM To: Luis l Cc: David Woodhouse; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
Not sure where the instructions are for the specific commit. Currently can't find those files after a recent fetch From: Daniel Lenski <dlen...@gmail.com> Sent: Friday, April 13, 2018 2:23 AM To: Luis l Cc: David Woodhouse; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
Thank you guys, I wasnt sure where to post it so any guidance would help. So yes Okta / IDP = SSO = Multifactor Auth doesnt work I saw that in the link i pasted they get presented with it, but if its still not an official release to OC then i will either wait or find another way for linux users to connect to vpn. which sucks bc i would rather use OC. Let me know what info is needed to maybe get this working. thank you! From: Daniel Lenski <dlen...@gmail.com> Sent: Tuesday, April 10, 2018 3:37 AM To: David Woodhouse Cc: Luis l; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Apr 6, 2018 2:23 PM, "David Woodhouse" <dw...@infradead.org> wrote: >On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote: >> On Fri, Apr 6, 2018 at 11:27 AM, Luis l <chel...@hotmail.com> wrote: >> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … >> >> As explained on the page for the fork with PAN GlobalProtect support >> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), https://avatars2.githubusercontent.com/u/128716?s=400=4 GitHub - dlenski/openconnect: OpenConnect client extended ... github.com This is a modified version of the fantastic open-source VPN client OpenConnect which supports the PAN GlobalProtect VPN in its native modes (SSL and ESP)—with no assistance or cooperation needed from your VPN administrators. This is a work in progress. That said, I've been using it for real work ... >> you should report problems which are specific to PAN-GP as a new issue >> on Github, rather than on this mailing list. GlobalProtect support is >> not yet part of the official OpenConnect. > > FWIW I have no objection to using the mailing list for it even when it > isn't merged yet. Great, okay! I think I added that admonition on the Github project README when it was at a much less functional state. > Where *are* we with merging it? I gave you another round of cleaned-up-and-rebased patches on March 4, and one more patch on top on March 27 (for tolerance of oversize ESP packets, in the same vein as previous patches for tolerating oversize ONCP and GPST packets). > I did some heckling > at the last round of patches as there was some string allocation > confusion, and it looked like it hadn't been run in valgrind. Did you > give me another set after that? valgrind credibly accuses me of a lengthy of memory-allocation crimes. I haven't fixed them all yet. :-( Do you have a preferred invocation for valgrind'ing openconnect, by the way? To test the GP protocol, I've been using variants of this: valgrind --tool=memcheck --leak-check=full --log-file=/tmp/valgrind.log -v $OPENCONNECT_BIN --protocol=globalprotect -u $USERNAME --csd-wrapper ./hipreport.sh $SERVER Thanks, Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Openconnect - Palo Alto - Okta SSO / MFA
Hi Guys, I am using the latests version of OC w/ Palo Alto VPN and Okta as the IDP / MFA. Using NON mfa/okta the process works and connects but when using okta it does not prompt me for the MFA key. Gives a error of HTTP body length: (128) Unexpected 512 result from server Invalid username or password. protocol used is gp and i saw this post but no results https://github.com/dlenski/openconnect/issues/57 Ubuntu LTS 14.01 openconnect v7.08-274-gabb4ef3 ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel