openconnect derailed by Pulse pre sign-in notification?
Gernot Hillier
gernot.hillier at siemens.com
Tue Jan 23 04:42:27 PST 2018
Hi there!
James Ralston wrote:
> Does anyone have any advice or tips for getting openconnect to
> navigate through a pre sign-in notification?
>
> We are legally required to use a pre sign-in notification for our
> Pulse VPN service:
>
> https://corliss.sei.cmu.edu/
>
> Unfortunately, openconnect doesn't seem to understand how to navigate
> through the pre sign-in notification. Attempting to connect to the
> Pulse VPN service yields this error message:
>
> Failed to find or parse web form in login page
We have a somehow similar issue here where Smartcard auth is not done by
the Pulse gateway, but some other Siemens-service which means
OpenConnect needs to dive through three additional forms. For now, I use
something like this:
@@ -657,6 +665,14 @@ int oncp_obtain_cookie(struct openconnect_info
*vpninfo)
ret = -EINVAL;
break;
}
+ } else if (!strcmp(form_id, "login_PKI") ||
+ !strcmp(form_id, "MessageAccept") ||
+ !strcmp(form_id, "gaform")) {
+ form = parse_form_node(vpninfo, node, "btnSubmit");
+ if (!form) {
+ ret = -EINVAL;
+ break;
+ }
Plus deactivation of some sanity checks in handle_redirect() and
process_auth_form_cb().
However, further HTML parsing in OpenConnect feels like the wrong
solution, and http://www.infradead.org/openconnect/juniper.html seems to
suggest other solutions ("full compatibility may require actually using
a web browser to log in").
So we're thinking about implementing something similar like
juniper-vpn.py from https://github.com/russdill/juniper-vpn-py which
does our company-specific auth dance and then just calls openconnect
with the DSID cookie...
That said, finding a working PKCS#11 solution for Python turned out to
be a non-trivial task...
--
Gernot Hillier
Siemens AG, Corporate Competence Center Embedded Linux
More information about the openconnect-devel
mailing list