Openconnect - Palo Alto - Okta SSO / MFA

Luis l chelapa at hotmail.com
Wed Apr 11 14:25:23 PDT 2018


Thank you guys, I wasnt sure where to post it so any guidance would help. 


So yes Okta / IDP = SSO = Multifactor Auth doesnt work


I saw that in the link i pasted they get presented with it, but if its still not an official release to OC then i will either wait or find another way for linux users to connect to vpn. which sucks bc i would rather use OC. Let me know what info is needed to maybe get this working. 


thank you!




From: Daniel Lenski <dlenski at gmail.com>
Sent: Tuesday, April 10, 2018 3:37 AM
To: David Woodhouse
Cc: Luis l; openconnect-devel
Subject: Re: Openconnect - Palo Alto - Okta SSO / MFA
  

On Apr 6, 2018 2:23 PM, "David Woodhouse" <dwmw2 at infradead.org> wrote:
>On Fri, 2018-04-06 at 11:54 -0500, Daniel Lenski wrote:
>> On Fri, Apr 6, 2018 at 11:27 AM, Luis l <chelapa at hotmail.com> wrote:
>> > Hi Guys, I am using the latests version of OC w/ Palo Alto VPN …
>>
>> As explained on the page for the fork with PAN GlobalProtect support
>> (https://github.com/dlenski/openconnect#feedback-and-troubleshooting),

 https://avatars2.githubusercontent.com/u/128716?s=400&v=4 

GitHub - dlenski/openconnect: OpenConnect client extended ...
github.com
This is a modified version of the fantastic open-source VPN client OpenConnect which supports the PAN GlobalProtect VPN in its native modes (SSL and ESP)—with no assistance or cooperation needed from your VPN administrators. This is a work in progress. That said, I've been using it for real work ...

>> you should report problems which are specific to PAN-GP as a new issue
>> on Github, rather than on this mailing list. GlobalProtect support is
>> not yet part of the official OpenConnect.
>
> FWIW I have no objection to using the mailing list for it even when it
> isn't merged yet.

Great, okay! I think I added that admonition on the Github project
README when it was at a much less functional state.

> Where *are* we with merging it?

I gave you another round of cleaned-up-and-rebased patches on March 4,
and one more patch on top on March 27 (for tolerance of oversize ESP
packets, in the same vein as previous patches for tolerating oversize
ONCP and GPST packets).

> I did some heckling
> at the last round of patches as there was some string allocation
> confusion, and it looked like it hadn't been run in valgrind. Did you
> give me another set after that?

valgrind credibly accuses me of a lengthy of memory-allocation crimes.
I haven't fixed them all yet. :-(

Do you have a preferred invocation for valgrind'ing openconnect, by
the way? To test the GP protocol, I've been using variants of this:

    valgrind --tool=memcheck --leak-check=full
--log-file=/tmp/valgrind.log -v $OPENCONNECT_BIN
--protocol=globalprotect -u $USERNAME --csd-wrapper ./hipreport.sh
$SERVER

Thanks,
Dan
    


More information about the openconnect-devel mailing list