Re: Openconnect - Palo Alto - Okta SSO / MFA
On Fri, Apr 13, 2018 at 8:31 AM, Luis lwrote: > After digging around i THINK its a part of this? > > https://github.com/arthepsy/pan-globalprotect-okta/ > > I downloaded it added the totp of that moment, removed pw to prompt me > instead of conf and i get the below from debug = 1. My "Guess" if this worked > its to be used against the command i sent prior and piped into the > openconnect cmd? > > --- > # status: > MFA_REQUIRED > --- > err: no factor url found Luis, I have a lot of trouble following your explanations here, but… yes, you need to figure out a way to generate the appropriate cookie and submit it to openconnect in place of the password, using the new mechanism that I added in the fun_with_cookies branch, as described on Github. I don't use Okta, can't use Okta, and know nothing about Okta. I do not have access to a GP VPN that uses this kind of authentication flow. So I cannot test the authentication scripts in any way. All I can do is provide a mechanism for openconnect to accept the cookie produced by the alternative authentication flows, and rely on users to tell me if it solves the problem. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
After digging around i THINK its a part of this? https://github.com/arthepsy/pan-globalprotect-okta/ I downloaded it added the totp of that moment, removed pw to prompt me instead of conf and i get the below from debug = 1. My "Guess" if this worked its to be used against the command i sent prior and piped into the openconnect cmd? --- # status: MFA_REQUIRED --- err: no factor url found From: Daniel Lenski <dlen...@gmail.com> Sent: Friday, April 13, 2018 2:23 AM To: Luis l Cc: David Woodhouse; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
Example or I just didnt have enough coffee script_that_obtains_the_portal_userauthcookie ? cant find that and dont think thats an actual file From: Daniel Lenski <dlen...@gmail.com> Sent: Friday, April 13, 2018 2:23 AM To: Luis l Cc: David Woodhouse; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
Not sure where the instructions are for the specific commit. Currently can't find those files after a recent fetch From: Daniel Lenski <dlen...@gmail.com> Sent: Friday, April 13, 2018 2:23 AM To: Luis l Cc: David Woodhouse; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Wed, Apr 11, 2018 at 8:14 AM, Luis l <chel...@hotmail.com> wrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Thu, Apr 12, 2018 at 7:14 PM, Daniel Lenskiwrote: > On Fri, Apr 6, 2018 at 11:23 AM, David Woodhouse wrote: >> Where *are* we with merging it? I did some heckling >> at the last round of patches as there was some string allocation >> confusion, and it looked like it hadn't been run in valgrind. Did you >> give me another set after that? > > David, > I fixed a couple memory leaks with valgrind and a quick-and-dirty > "GlobalProtect server simulator" () that I wrote with Flask. > > I can give you a whole new series of patches but first, to avoid > confusion, let me know… > > - Do you want everything squashed into a clean series on top of your > 'master' branch? > - Or do you want a series on top of your 'gpst' branch? (which > includes a patch from you on top of my previous series) > - Or something else? > > Also, don't forget this other patch I sent for oversize ESP packets — > not GP-specific even though it was first noticed on a GP VPN :-D > http://lists.infradead.org/pipermail/openconnect-devel/2018-March/004806.html Assuming the right answer is "squash everything into a clean series of patches on top of your 'master' branch", please see here: https://github.com/dlenski/openconnect/commits/gpst-squash These are rebased on top of your 'master', and get a clean bill of health from valgrind. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Wed, Apr 11, 2018 at 8:14 AM, Luis lwrote: > > Thank you guys, I wasnt sure where to post it so any guidance would help. > > > So yes Okta / IDP = SSO = Multifactor Auth doesnt work > > > I saw that in the link i pasted they get presented with it, but if its still > not an official release to OC then i will either wait or find another way for > linux users to connect to vpn. which sucks bc i would rather use OC. Let me > know what info is needed to maybe get this working. > > > thank you! Luis, Other users have reported similar issues with external authentication flows in GlobalProtect. They're all different, but what they all have in common is that the user goes through web-based authentication forms, and then at the end they get some kind of cookie ("portal-userauthcookie", "prelogin-cookie", etc.) which then needs to be used _in place of the normal password_ to login. Another user wrote some scripts to do the login with Okta, and I came up with a way to submit the resulting cookie. See this discussion and please give us feedback on whether the solution works for you: https://github.com/dlenski/openconnect/issues/98 -Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Fri, Apr 6, 2018 at 11:23 AM, David Woodhousewrote: > Where *are* we with merging it? I did some heckling > at the last round of patches as there was some string allocation > confusion, and it looked like it hadn't been run in valgrind. Did you > give me another set after that? David, I fixed a couple memory leaks with valgrind and a quick-and-dirty "GlobalProtect server simulator" () that I wrote with Flask. I can give you a whole new series of patches but first, to avoid confusion, let me know… - Do you want everything squashed into a clean series on top of your 'master' branch? - Or do you want a series on top of your 'gpst' branch? (which includes a patch from you on top of my previous series) - Or something else? Also, don't forget this other patch I sent for oversize ESP packets — not GP-specific even though it was first noticed on a GP VPN :-D http://lists.infradead.org/pipermail/openconnect-devel/2018-March/004806.html Thanks, Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
Thank you guys, I wasnt sure where to post it so any guidance would help. So yes Okta / IDP = SSO = Multifactor Auth doesnt work I saw that in the link i pasted they get presented with it, but if its still not an official release to OC then i will either wait or find another way for linux users to connect to vpn. which sucks bc i would rather use OC. Let me know what info is needed to maybe get this working. thank you! From: Daniel Lenski <dlen...@gmail.com> Sent: Tuesday, April 10, 2018 3:37 AM To: David Woodhouse Cc: Luis l; openconnect-devel Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA On Apr 6, 2018 2:23 PM, "David Woodhouse" <dw...@infradead.org> wrote: >On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote: >> On Fri, Apr 6, 2018 at 11:27 AM, Luis l <chel...@hotmail.com> wrote: >> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … >> >> As explained on the page for the fork with PAN GlobalProtect support >> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), https://avatars2.githubusercontent.com/u/128716?s=400=4 GitHub - dlenski/openconnect: OpenConnect client extended ... github.com This is a modified version of the fantastic open-source VPN client OpenConnect which supports the PAN GlobalProtect VPN in its native modes (SSL and ESP)—with no assistance or cooperation needed from your VPN administrators. This is a work in progress. That said, I've been using it for real work ... >> you should report problems which are specific to PAN-GP as a new issue >> on Github, rather than on this mailing list. GlobalProtect support is >> not yet part of the official OpenConnect. > > FWIW I have no objection to using the mailing list for it even when it > isn't merged yet. Great, okay! I think I added that admonition on the Github project README when it was at a much less functional state. > Where *are* we with merging it? I gave you another round of cleaned-up-and-rebased patches on March 4, and one more patch on top on March 27 (for tolerance of oversize ESP packets, in the same vein as previous patches for tolerating oversize ONCP and GPST packets). > I did some heckling > at the last round of patches as there was some string allocation > confusion, and it looked like it hadn't been run in valgrind. Did you > give me another set after that? valgrind credibly accuses me of a lengthy of memory-allocation crimes. I haven't fixed them all yet. :-( Do you have a preferred invocation for valgrind'ing openconnect, by the way? To test the GP protocol, I've been using variants of this: valgrind --tool=memcheck --leak-check=full --log-file=/tmp/valgrind.log -v $OPENCONNECT_BIN --protocol=globalprotect -u $USERNAME --csd-wrapper ./hipreport.sh $SERVER Thanks, Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Tue, Apr 10, 2018 at 5:37 AM, Daniel Lenskiwrote: > On Apr 6, 2018 2:23 PM, "David Woodhouse" wrote: >>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote: >>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l wrote: >>> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … >>> >>> As explained on the page for the fork with PAN GlobalProtect support >>> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), >>> you should report problems which are specific to PAN-GP as a new issue >>> on Github, rather than on this mailing list. GlobalProtect support is >>> not yet part of the official OpenConnect. >> >> FWIW I have no objection to using the mailing list for it even when it >> isn't merged yet. > > Great, okay! I think I added that admonition on the Github project > README when it was at a much less functional state. > >> Where *are* we with merging it? > > I gave you another round of cleaned-up-and-rebased patches on March 4, > and one more patch on top on March 27 (for tolerance of oversize ESP > packets, in the same vein as previous patches for tolerating oversize > ONCP and GPST packets). > >> I did some heckling >> at the last round of patches as there was some string allocation >> confusion, and it looked like it hadn't been run in valgrind. Did you >> give me another set after that? > > valgrind credibly accuses me of a lengthy of memory-allocation crimes. > I haven't fixed them all yet. :-( > > Do you have a preferred invocation for valgrind'ing openconnect, by > the way? To test the GP protocol, I've been using variants of this: Not sure about valgrind, but if you want to run the testsuite of the openconnect, you can fork the project from gitlab, and check the existing tests + your tests outputs on the pipelines: https://gitlab.com/ocserv/openconnect regards, Nikos ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Apr 6, 2018 2:23 PM, "David Woodhouse"wrote: >On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote: >> On Fri, Apr 6, 2018 at 11:27 AM, Luis l wrote: >> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … >> >> As explained on the page for the fork with PAN GlobalProtect support >> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), >> you should report problems which are specific to PAN-GP as a new issue >> on Github, rather than on this mailing list. GlobalProtect support is >> not yet part of the official OpenConnect. > > FWIW I have no objection to using the mailing list for it even when it > isn't merged yet. Great, okay! I think I added that admonition on the Github project README when it was at a much less functional state. > Where *are* we with merging it? I gave you another round of cleaned-up-and-rebased patches on March 4, and one more patch on top on March 27 (for tolerance of oversize ESP packets, in the same vein as previous patches for tolerating oversize ONCP and GPST packets). > I did some heckling > at the last round of patches as there was some string allocation > confusion, and it looked like it hadn't been run in valgrind. Did you > give me another set after that? valgrind credibly accuses me of a lengthy of memory-allocation crimes. I haven't fixed them all yet. :-( Do you have a preferred invocation for valgrind'ing openconnect, by the way? To test the GP protocol, I've been using variants of this: valgrind --tool=memcheck --leak-check=full --log-file=/tmp/valgrind.log -v $OPENCONNECT_BIN --protocol=globalprotect -u $USERNAME --csd-wrapper ./hipreport.sh $SERVER Thanks, Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote: > On Fri, Apr 6, 2018 at 11:27 AM, Luis lwrote: > > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … > > As explained on the page for the fork with PAN GlobalProtect support > (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), > you should report problems which are specific to PAN-GP as a new issue > on Github, rather than on this mailing list. GlobalProtect support is > not yet part of the official OpenConnect. FWIW I have no objection to using the mailing list for it even when it isn't merged yet. Where *are* we with merging it? I did some heckling at the last round of patches as there was some string allocation confusion, and it looked like it hadn't been run in valgrind. Did you give me another set after that? smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Openconnect - Palo Alto - Okta SSO / MFA
On Fri, Apr 6, 2018 at 11:27 AM, Luis lwrote: > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN … As explained on the page for the fork with PAN GlobalProtect support (https://github.com/dlenski/openconnect#feedback-and-troubleshooting), you should report problems which are specific to PAN-GP as a new issue on Github, rather than on this mailing list. GlobalProtect support is not yet part of the official OpenConnect. > … and Okta as the IDP / MFA. Using NON mfa/okta the process works and > connects but when using okta it does not prompt me for the MFA key. I have absolutely zero idea what Okta or IDP are. I think you're saying that with single-factor authentication (username and password) it works fine, but with multi-factor authentication it doesn't. Is that correct? > Gives a error of > > > HTTP body length: (128) > Unexpected 512 result from server > Invalid username or password. > > > protocol used is gp and i saw this post but no results > > https://github.com/dlenski/openconnect/issues/57 > > Ubuntu LTS 14.01 > > openconnect v7.08-274-gabb4ef3 You're using a recent build which does include challenge-based multi-factor authentication support. Good. Without more information, it's impossible to diagnose this. You should file a new issue in Github, and be sure to include the debug logs as I request in the template. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel