Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-13 Thread Daniel Lenski 
On Fri, Apr 13, 2018 at 8:31 AM, Luis l  wrote:
> After digging around i THINK its a part of this?
>
> https://github.com/arthepsy/pan-globalprotect-okta/
>
> I downloaded it added the totp of that moment, removed pw to prompt me 
> instead of conf and i get the below from debug = 1. My "Guess" if this worked 
> its to be used against the command i sent prior and piped into the 
> openconnect cmd?
>
> ---
> # status:
> MFA_REQUIRED
> ---
> err: no factor url found

Luis,

I have a lot of trouble following your explanations here, but… yes,
you need to figure out a way to generate the appropriate cookie and
submit it to openconnect in place of the password, using the new
mechanism that I added in the fun_with_cookies branch, as described on
Github.

I don't use Okta, can't use Okta, and know nothing about Okta. I do
not have access to a GP VPN that uses this kind of authentication
flow. So I cannot test the authentication scripts in any way.

All I can do is provide a mechanism for openconnect to accept the
cookie produced by the alternative authentication flows, and rely on
users to tell me if it solves the problem.

Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-13 Thread Luis l 
After digging around i THINK its a part of this?

https://github.com/arthepsy/pan-globalprotect-okta/

I downloaded it added the totp of that moment, removed pw to prompt me instead 
of conf and i get the below from debug = 1. My "Guess" if this worked its to be 
used against the command i sent prior and piped into the openconnect cmd? 

---
# status:
MFA_REQUIRED
---
err: no factor url found


From: Daniel Lenski <dlen...@gmail.com>
Sent: Friday, April 13, 2018 2:23 AM
To: Luis l
Cc: David Woodhouse; openconnect-devel
Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA
  

On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote:
>
> Thank you guys, I wasnt sure where to post it so any guidance would help.
>
>
> So yes Okta / IDP = SSO = Multifactor Auth doesnt work
>
>
> I saw that in the link i pasted they get presented with it, but if its still 
> not an official release to OC then i will either wait or find another way for 
> linux users to connect to vpn. which sucks bc i would rather use OC. Let me 
> know what info is needed  to maybe get this working.
>
>
> thank you!

Luis,
Other users have reported similar issues with external authentication
flows in GlobalProtect.

They're all different, but what they all have in common is that the
user goes through web-based authentication forms, and then at the end
they get some kind of cookie ("portal-userauthcookie",
"prelogin-cookie", etc.) which then needs to be used _in place of the
normal password_ to login.

Another user wrote some scripts to do the login with Okta, and I came
up with a way to submit the resulting cookie. See this discussion and
please give us feedback on whether the solution works for you:
https://github.com/dlenski/openconnect/issues/98

-Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-13 Thread Luis l 
Example or I just didnt have enough coffee

script_that_obtains_the_portal_userauthcookie ? cant find that and dont think 
thats an actual file 




From: Daniel Lenski <dlen...@gmail.com>
Sent: Friday, April 13, 2018 2:23 AM
To: Luis l
Cc: David Woodhouse; openconnect-devel
Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA
  

On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote:
>
> Thank you guys, I wasnt sure where to post it so any guidance would help.
>
>
> So yes Okta / IDP = SSO = Multifactor Auth doesnt work
>
>
> I saw that in the link i pasted they get presented with it, but if its still 
> not an official release to OC then i will either wait or find another way for 
> linux users to connect to vpn. which sucks bc i would rather use OC. Let me 
> know what info is needed  to maybe get this working.
>
>
> thank you!

Luis,
Other users have reported similar issues with external authentication
flows in GlobalProtect.

They're all different, but what they all have in common is that the
user goes through web-based authentication forms, and then at the end
they get some kind of cookie ("portal-userauthcookie",
"prelogin-cookie", etc.) which then needs to be used _in place of the
normal password_ to login.

Another user wrote some scripts to do the login with Okta, and I came
up with a way to submit the resulting cookie. See this discussion and
please give us feedback on whether the solution works for you:
https://github.com/dlenski/openconnect/issues/98

-Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-13 Thread Luis l 
Not sure where the instructions are for the specific commit. Currently can't 
find those files after a recent fetch 




From: Daniel Lenski <dlen...@gmail.com>
Sent: Friday, April 13, 2018 2:23 AM
To: Luis l
Cc: David Woodhouse; openconnect-devel
Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA
  

On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote:
>
> Thank you guys, I wasnt sure where to post it so any guidance would help.
>
>
> So yes Okta / IDP = SSO = Multifactor Auth doesnt work
>
>
> I saw that in the link i pasted they get presented with it, but if its still 
> not an official release to OC then i will either wait or find another way for 
> linux users to connect to vpn. which sucks bc i would rather use OC. Let me 
> know what info is needed  to maybe get this working.
>
>
> thank you!

Luis,
Other users have reported similar issues with external authentication
flows in GlobalProtect.

They're all different, but what they all have in common is that the
user goes through web-based authentication forms, and then at the end
they get some kind of cookie ("portal-userauthcookie",
"prelogin-cookie", etc.) which then needs to be used _in place of the
normal password_ to login.

Another user wrote some scripts to do the login with Okta, and I came
up with a way to submit the resulting cookie. See this discussion and
please give us feedback on whether the solution works for you:
https://github.com/dlenski/openconnect/issues/98

-Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-12 Thread Daniel Lenski 
On Thu, Apr 12, 2018 at 7:14 PM, Daniel Lenski  wrote:
> On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse  wrote:
>> Where *are* we with merging it? I did some heckling
>> at the last round of patches as there was some string allocation
>> confusion, and it looked like it hadn't been run in valgrind. Did you
>> give me another set after that?
>
> David,
> I fixed a couple memory leaks with valgrind and a quick-and-dirty
> "GlobalProtect server simulator" () that I wrote with Flask.
>
> I can give you a whole new series of patches but first, to avoid
> confusion, let me know…
>
> - Do you want everything squashed into a clean series on top of your
> 'master' branch?
> - Or do you want a series on top of your 'gpst' branch? (which
> includes a patch from you on top of my previous series)
> - Or something else?
>
> Also, don't forget this other patch I sent for oversize ESP packets —
> not GP-specific even though it was first noticed on a GP VPN :-D
> http://lists.infradead.org/pipermail/openconnect-devel/2018-March/004806.html

Assuming the right answer is "squash everything into a clean series of
patches on top of your 'master' branch", please see here:

https://github.com/dlenski/openconnect/commits/gpst-squash

These are rebased on top of your 'master', and get a clean bill of
health from valgrind.

Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-12 Thread Daniel Lenski 
On Wed, Apr 11, 2018 at 8:14 AM, Luis l  wrote:
>
> Thank you guys, I wasnt sure where to post it so any guidance would help.
>
>
> So yes Okta / IDP = SSO = Multifactor Auth doesnt work
>
>
> I saw that in the link i pasted they get presented with it, but if its still 
> not an official release to OC then i will either wait or find another way for 
> linux users to connect to vpn. which sucks bc i would rather use OC. Let me 
> know what info is needed to maybe get this working.
>
>
> thank you!

Luis,
Other users have reported similar issues with external authentication
flows in GlobalProtect.

They're all different, but what they all have in common is that the
user goes through web-based authentication forms, and then at the end
they get some kind of cookie ("portal-userauthcookie",
"prelogin-cookie", etc.) which then needs to be used _in place of the
normal password_ to login.

Another user wrote some scripts to do the login with Okta, and I came
up with a way to submit the resulting cookie. See this discussion and
please give us feedback on whether the solution works for you:
https://github.com/dlenski/openconnect/issues/98

-Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-12 Thread Daniel Lenski 
On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse  wrote:
> Where *are* we with merging it? I did some heckling
> at the last round of patches as there was some string allocation
> confusion, and it looked like it hadn't been run in valgrind. Did you
> give me another set after that?

David,
I fixed a couple memory leaks with valgrind and a quick-and-dirty
"GlobalProtect server simulator" () that I wrote with Flask.

I can give you a whole new series of patches but first, to avoid
confusion, let me know…

- Do you want everything squashed into a clean series on top of your
'master' branch?
- Or do you want a series on top of your 'gpst' branch? (which
includes a patch from you on top of my previous series)
- Or something else?

Also, don't forget this other patch I sent for oversize ESP packets —
not GP-specific even though it was first noticed on a GP VPN :-D
http://lists.infradead.org/pipermail/openconnect-devel/2018-March/004806.html

Thanks,
Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-11 Thread Luis l 
Thank you guys, I wasnt sure where to post it so any guidance would help. 


So yes Okta / IDP = SSO = Multifactor Auth doesnt work


I saw that in the link i pasted they get presented with it, but if its still 
not an official release to OC then i will either wait or find another way for 
linux users to connect to vpn. which sucks bc i would rather use OC. Let me 
know what info is needed to maybe get this working. 


thank you!




From: Daniel Lenski <dlen...@gmail.com>
Sent: Tuesday, April 10, 2018 3:37 AM
To: David Woodhouse
Cc: Luis l; openconnect-devel
Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA
  

On Apr 6, 2018 2:23 PM, "David Woodhouse" <dw...@infradead.org> wrote:
>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l <chel...@hotmail.com> wrote:
>> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
>>
>> As explained on the page for the fork with PAN GlobalProtect support
>> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting),

 https://avatars2.githubusercontent.com/u/128716?s=400=4 

GitHub - dlenski/openconnect: OpenConnect client extended ...
github.com
This is a modified version of the fantastic open-source VPN client OpenConnect 
which supports the PAN GlobalProtect VPN in its native modes (SSL and ESP)—with 
no assistance or cooperation needed from your VPN administrators. This is a 
work in progress. That said, I've been using it for real work ...

>> you should report problems which are specific to PAN-GP as a new issue
>> on Github, rather than on this mailing list. GlobalProtect support is
>> not yet part of the official OpenConnect.
>
> FWIW I have no objection to using the mailing list for it even when it
> isn't merged yet.

Great, okay! I think I added that admonition on the Github project
README when it was at a much less functional state.

> Where *are* we with merging it?

I gave you another round of cleaned-up-and-rebased patches on March 4,
and one more patch on top on March 27 (for tolerance of oversize ESP
packets, in the same vein as previous patches for tolerating oversize
ONCP and GPST packets).

> I did some heckling
> at the last round of patches as there was some string allocation
> confusion, and it looked like it hadn't been run in valgrind. Did you
> give me another set after that?

valgrind credibly accuses me of a lengthy of memory-allocation crimes.
I haven't fixed them all yet. :-(

Do you have a preferred invocation for valgrind'ing openconnect, by
the way? To test the GP protocol, I've been using variants of this:

    valgrind --tool=memcheck --leak-check=full
--log-file=/tmp/valgrind.log -v $OPENCONNECT_BIN
--protocol=globalprotect -u $USERNAME --csd-wrapper ./hipreport.sh
$SERVER

Thanks,
Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-10 Thread Nikos Mavrogiannopoulos 
On Tue, Apr 10, 2018 at 5:37 AM, Daniel Lenski  wrote:
> On Apr 6, 2018 2:23 PM, "David Woodhouse"  wrote:
>>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
>>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l  wrote:
>>> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
>>>
>>> As explained on the page for the fork with PAN GlobalProtect support
>>> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting),
>>> you should report problems which are specific to PAN-GP as a new issue
>>> on Github, rather than on this mailing list. GlobalProtect support is
>>> not yet part of the official OpenConnect.
>>
>> FWIW I have no objection to using the mailing list for it even when it
>> isn't merged yet.
>
> Great, okay! I think I added that admonition on the Github project
> README when it was at a much less functional state.
>
>> Where *are* we with merging it?
>
> I gave you another round of cleaned-up-and-rebased patches on March 4,
> and one more patch on top on March 27 (for tolerance of oversize ESP
> packets, in the same vein as previous patches for tolerating oversize
> ONCP and GPST packets).
>
>> I did some heckling
>> at the last round of patches as there was some string allocation
>> confusion, and it looked like it hadn't been run in valgrind. Did you
>> give me another set after that?
>
> valgrind credibly accuses me of a lengthy of memory-allocation crimes.
> I haven't fixed them all yet. :-(
>
> Do you have a preferred invocation for valgrind'ing openconnect, by
> the way? To test the GP protocol, I've been using variants of this:

Not sure about valgrind, but if you want to run the testsuite of the
openconnect, you can fork the project from gitlab, and check the
existing tests + your tests outputs on the pipelines:
https://gitlab.com/ocserv/openconnect

regards,
Nikos

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-09 Thread Daniel Lenski 
On Apr 6, 2018 2:23 PM, "David Woodhouse"  wrote:
>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l  wrote:
>> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
>>
>> As explained on the page for the fork with PAN GlobalProtect support
>> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting),
>> you should report problems which are specific to PAN-GP as a new issue
>> on Github, rather than on this mailing list. GlobalProtect support is
>> not yet part of the official OpenConnect.
>
> FWIW I have no objection to using the mailing list for it even when it
> isn't merged yet.

Great, okay! I think I added that admonition on the Github project
README when it was at a much less functional state.

> Where *are* we with merging it?

I gave you another round of cleaned-up-and-rebased patches on March 4,
and one more patch on top on March 27 (for tolerance of oversize ESP
packets, in the same vein as previous patches for tolerating oversize
ONCP and GPST packets).

> I did some heckling
> at the last round of patches as there was some string allocation
> confusion, and it looked like it hadn't been run in valgrind. Did you
> give me another set after that?

valgrind credibly accuses me of a lengthy of memory-allocation crimes.
I haven't fixed them all yet. :-(

Do you have a preferred invocation for valgrind'ing openconnect, by
the way? To test the GP protocol, I've been using variants of this:

valgrind --tool=memcheck --leak-check=full
--log-file=/tmp/valgrind.log -v $OPENCONNECT_BIN
--protocol=globalprotect -u $USERNAME --csd-wrapper ./hipreport.sh
$SERVER

Thanks,
Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-06 Thread David Woodhouse 


On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
> On Fri, Apr 6, 2018 at 11:27 AM, Luis l  wrote:
> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
> 
> As explained on the page for the fork with PAN GlobalProtect support
> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting),
> you should report problems which are specific to PAN-GP as a new issue
> on Github, rather than on this mailing list. GlobalProtect support is
> not yet part of the official OpenConnect.

FWIW I have no objection to using the mailing list for it even when it
isn't merged yet. Where *are* we with merging it? I did some heckling
at the last round of patches as there was some string allocation
confusion, and it looked like it hadn't been run in valgrind. Did you
give me another set after that?

smime.p7s
Description: S/MIME cryptographic signature
___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Openconnect - Palo Alto - Okta SSO / MFA

2018-04-06 Thread Daniel Lenski 
On Fri, Apr 6, 2018 at 11:27 AM, Luis l  wrote:
> Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …

As explained on the page for the fork with PAN GlobalProtect support
(https://github.com/dlenski/openconnect#feedback-and-troubleshooting),
you should report problems which are specific to PAN-GP as a new issue
on Github, rather than on this mailing list. GlobalProtect support is
not yet part of the official OpenConnect.

> … and Okta as the IDP / MFA. Using NON mfa/okta the process works and 
> connects but when using okta it does not prompt me for the MFA key.

I have absolutely zero idea what Okta or IDP are. I think you're
saying that with single-factor authentication (username and password)
it works fine, but with multi-factor authentication it doesn't. Is
that correct?

> Gives a error of
>
>
> HTTP body length: (128)
> Unexpected 512 result from server
> Invalid username or password.
>
>
> protocol used is gp and i saw this post but no results
>
> https://github.com/dlenski/openconnect/issues/57
>
> Ubuntu LTS 14.01
>
> openconnect v7.08-274-gabb4ef3

You're using a recent build which does include challenge-based
multi-factor authentication support. Good.

Without more information, it's impossible to diagnose this. You should
file a new issue in Github, and be sure to include the debug logs as I
request in the template.

Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel