openconnect derailed by Pulse pre sign-in notification?
James Ralston
ralston at pobox.com
Tue Jan 23 16:39:27 PST 2018
Hi Gernot,
On Tue, Jan 23, 2018 at 7:42 AM, Gernot Hillier
<gernot.hillier at siemens.com> wrote:
> Hi there!
>
> James Ralston wrote:
>
> > Does anyone have any advice or tips for getting openconnect to
> > navigate through a pre sign-in notification?
> >
> > We are legally required to use a pre sign-in notification for our
> > Pulse VPN service:
> >
> > https://corliss.sei.cmu.edu/
> >
> > Unfortunately, openconnect doesn't seem to understand how to
> > navigate through the pre sign-in notification. Attempting to
> > connect to the Pulse VPN service yields this error message:
> >
> > Failed to find or parse web form in login page
>
> We have a somehow similar issue here where Smartcard auth is not
> done by the Pulse gateway, but some other Siemens-service which
> means OpenConnect needs to dive through three additional forms. For
> now, I use something like this:
>
> @@ -657,6 +665,14 @@ int oncp_obtain_cookie(struct openconnect_info
> *vpninfo)
> ret = -EINVAL;
> break;
> }
> + } else if (!strcmp(form_id, "login_PKI") ||
> + !strcmp(form_id, "MessageAccept") ||
> + !strcmp(form_id, "gaform")) {
> + form = parse_form_node(vpninfo, node, "btnSubmit");
> + if (!form) {
> + ret = -EINVAL;
> + break;
> + }
>
> Plus deactivation of some sanity checks in handle_redirect() and
> process_auth_form_cb().
Yeah, that's what I was afraid of: the only way to get past the
disclaimer form is to patch openconnect to recognize it, alas.
> However, further HTML parsing in OpenConnect feels like the wrong
> solution, and http://www.infradead.org/openconnect/juniper.html
> seems to suggest other solutions ("full compatibility may require
> actually using a web browser to log in").
>
> So we're thinking about implementing something similar like
> juniper-vpn.py from https://github.com/russdill/juniper-vpn-py which
> does our company-specific auth dance and then just calls openconnect
> with the DSID cookie...
The problem with this approach is that it necessitates calling
openconnect by hand. We'd prefer to avoid that, because adding a new
VPN connection within NetworkManager is what our users (and most Linux
users, I suspect) are used to. And unfortunately, NetworkManager
doesn't know how to configure a VPN interface that calls openconnect
with a custom authentication piece.
Not to mention we'd still need to patch juniper-vpn-py to understand
how to click through the disclaimer.
> That said, finding a working PKCS#11 solution for Python turned out
> to be a non-trivial task...
Indeed, it's been our experience that most user-contributed libraries
tend not to offer diverse authentication support, because the
developers of said libraries don't use anything beyond simple
username/password authentication.
Anyway, thanks for confirming that others have run into the same
issue.
More information about the openconnect-devel
mailing list