GlobalProtect gateway authorization fails
O. William McClung
owmcclung at gmail.com
Mon Jun 21 10:21:08 PDT 2021
On Gentoo Linux:
$ gp-saml-gui --portal -S --clientos=Windows <my-vpn>
produces
...
[SAML ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but
received a cookie that's often associated with the gateway interface.
You should probably try both.
SAML response converted to OpenConnect command line invocation:
echo <cookie> |
sudo openconnect --protocol=gp '--user=<user>' --os=win
--usergroup=portal:prelogin-cookie --passwd-on-stdin <my-vpn>
...
Portal set HIP report interval to 60 minutes).
8 gateway servers available:
US Southwest (us-southwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Northwest (us-northwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US West (us-west-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Southeast (us-southeast-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US East (us-east-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US South (us-south-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Northeast (us-northeast-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Central (us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
GATEWAY: [US Southwest|US Northwest|US West|US Southeast|US East|US
South|US Northeast|US Central]:fgets (stdin): Resource temporarily
unavailable
$ gp-saml-gui --portal -S --clientos=Windows <my-vpn> --
--authgroup='US Central'
produces
...
Connected to HTTPS on <my-vpn> with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
POST https://<my-vpn>/global-protect/getconfig.esp
Portal set HIP report interval to 60 minutes).
8 gateway servers available:
US Southwest (us-southwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Northwest (us-northwest-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US West (us-west-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Southeast (us-southeast-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US East (us-east-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US South (us-south-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Northeast (us-northeast-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
US Central (us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
POST https://us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to <ip>
SSL negotiation with us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com
Connected to HTTPS on
us-central-g-universi.gpo2ojjg5cnn.gw.gpcloudservice.com with
ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
prelogin-cookie:
fgets (stdin): Inappropriate ioctl for device
Any hints on getting openconnect to work with <my-vpn> will be
gratefully received.
More information about the openconnect-devel
mailing list