GlobalProtect gateway authorization fails

O. William McClung owmcclung at gmail.com
Sat Jul 10 16:49:40 PDT 2021


Git commit 0fc967c3 works.

For the moment my process is manual.

$ gp-saml-gui -p --clientos=Windows <my-vpn> -- --authgr='US Central'

produces the correct CLI command and I copy/paste that to the
terminal, editing 'openconnect' to the correct absolute path.

Many thanks to all developers of openconnect. I'd be "up the creek" without it.

On Mon, Jun 21, 2021 at 12:07 PM O. William McClung <owmcclung at gmail.com> wrote:
>
> On Gentoo Linux:
>
> $ gp-saml-gui --portal -S --clientos=Windows <my-vpn>
>
> produces
>
> ...
> [SAML   ] Got all required SAML headers, done.
> IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.
>
> SAML response converted to OpenConnect command line invocation:
>
>     echo <cookie> |
>         sudo openconnect --protocol=gp '--user=<user>' --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin <my-vpn>
> ...
> Portal set HIP report interval to 60 minutes).
> 8 gateway servers available:
>   US Southwest (us-southwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Northwest (us-northwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US West (us-west-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Southeast (us-southeast-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US East (us-east-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US South (us-south-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Northeast (us-northeast-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Central (us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
> Please select GlobalProtect gateway.
> GATEWAY: [US Southwest|US Northwest|US West|US Southeast|US East|US South|US Northeast|US Central]:fgets (stdin): Resource temporarily unavailable
>
> $ gp-saml-gui --portal -S --clientos=Windows <my-vpn> -- --authgroup='US Central'
>
> produces
>
> ...
> Connected to HTTPS on <my-vpn> with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
> Enter login credentials
> POST https://<my-vpn>/global-protect/getconfig.esp
> Portal set HIP report interval to 60 minutes).
> 8 gateway servers available:
>   US Southwest (us-southwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Northwest (us-northwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US West (us-west-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Southeast (us-southeast-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US East (us-east-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US South (us-south-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Northeast (us-northeast-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
>   US Central (us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
> Please select GlobalProtect gateway.
> POST https://us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
> Connected to <ip>
> SSL negotiation with us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com
> Connected to HTTPS on us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
> Enter login credentials
> prelogin-cookie:
> fgets (stdin): Inappropriate ioctl for device
>
> Any hints on getting openconnect to work with <my-vpn> will be gratefully received.



More information about the openconnect-devel mailing list