GlobalProtect gateway authorization fails

Daniel Lenski dlenski at gmail.com
Mon Jun 21 17:58:30 PDT 2021


On Mon, Jun 21, 2021 at 10:21 AM O. William McClung <owmcclung at gmail.com> wrote:
>
> Any hints on getting openconnect to work with <my-vpn> will be
> gratefully received.

This case *appears* to correspond to a longstanding bug which I fixed
in an as-yet-unmerged MR:
https://gitlab.com/openconnect/openconnect/-/merge_requests/199

1. If you just want to make it work ASAP…

You'll save yourself a whole lot of hassle if you just connect to the
gateway interface rather than the portal interface.
To try it, omit --portal from the gp-saml-gui command line, and point
it at a gateway server address instead of the portal server address.
This works on most GP VPNs, even if the administrators insist it
can't, because they don't really understand how the VPN works.

2. If you really *need* to login via the portal, or want to help us
fill in some more edge cases (please do 🙏🙏🙏)…

There are a large number of strange and hard-to-test corner cases in
authenticating to GlobalProtect via the *portal* interface, and then
forwarding the authentication to the *gateway* interface. SAML makes
it even messier. On top of that, there were a whole bunch of bugs in
portal-to-gateway handoff which made this work poorly.

Most (all?) of these cases should be fixed in
https://gitlab.com/openconnect/openconnect/-/merge_requests/199, where
I've also added some tests to try to verify that this handoff behavior
works in a variety of cases. Build from that branch and test if it
works with the resulting OpenConnect executable. If it still doesn't
work, then it'd be really helpful to get a detailed log (`openconnect
-vvv --dump`) showing what cookies the portal is or isn't providing
after portal login.


-Dan



More information about the openconnect-devel mailing list