[EXT] Re: Unable to connect to GlobalProtect VPN
Anthony Becker
abecker at sigcorp.com
Tue Aug 22 07:41:20 PDT 2023
Hi Daniel -
Thank you for the follow up. My most recent attempt to connect to this VPN was NOT successful. I've included more verbose output in case it will help. I've hidden my cookie and userid values.
First, I downloaded and built the most recent version of openconnect:
sshuser at oakvpn:~$ /vpn/openconnect-master/openconnect --version
OpenConnect version v9.12-unknown
Using GnuTLS 3.7.3. Features present: PKCS#11, HOTP software token, TOTP software token, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script
Next, I ran gp-saml-gui to collect my credentials. Since I am connecting to a gateway, I tried the gateway option first:
sshuser at oakvpn:~$ eval $( ./.local/bin/gp-saml-gui --gateway --allow-insecure-crypto --verbose --clientos=Windows grizzvpn.oakland.edu )
Looking for SAML auth tags in response to https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp...
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT]
[--key KEY] [-v | -q] [-x | -P | -S] [-u]
[--clientos {Mac,Windows,Linux}] [-f EXTRA]
[--allow-insecure-crypto] [--user-agent USER_AGENT]
server [openconnect_extra ...]
gp-saml-gui: error: Gateway prelogin response does not contain SAML tags (<saml-auth-method> or <saml-request> missing)
Things to try:
1) Spoof an officially supported OS (e.g. --clientos=Windows or --clientos=Mac)
2) Check in browser: https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Windows
That did not work. Here is what the browser returned from that URL:
<prelogin-response>
<status>Success</status>
<ccusername/>
<autosubmit>false</autosubmit>
<msg/>
<newmsg/>
<license>yes</license>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<auth-api>no</auth-api>
<region>US</region>
</prelogin-response>
Then I switched to the portal option:
sshuser at oakvpn:~$ eval $( ./.local/bin/gp-saml-gui --portal --allow-insecure-crypto --verbose --clientos=Windows grizzvpn.oakland.edu )
Looking for SAML auth tags in response to https://grizzvpn.oakland.edu/global-protect/prelogin.esp...
Got SAML POST, opening browser...
[REQUEST] Request for resource about:blank
Traceback (most recent call last):
File "/home/sshuser/.local/lib/python3.10/site-packages/gp_saml_gui.py", line 127, in on_load_changed
ct = h.get_content_type()
AttributeError: 'NoneType' object has no attribute 'get_content_type'
[REQUEST] POST for resource https://sso.oakland.edu/idp/profile/SAML2/POST/SSO
[REQUEST] GET for resource https://sso.oakland.edu/idp/css/main.css
[REQUEST] GET for resource https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js
[REQUEST] GET for resource https://ajax.googleapis.com/ajax/libs/jqueryui/1.12.1/jquery-ui.min.js
[REQUEST] GET for resource https://sso.oakland.edu/idp/images/oulogo.png
[PAGE ] Finished loading page https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1
[SAML ] No headers in response, searching body for xml comments
[SAML ] Found comment in response body: ' end container div '
[SAML ] Found comment in response body: ' end cas-header header '
[SAML ] Found comment in response body: ' Login form '
[SAML ] Finished parsing response body for https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1
[REQUEST] POST for resource https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s1
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/css/v3/base.css?v=39c22
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/plugin-detect/plugin-detect.min.css?v=01376
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery-prologue.js?v=400dc
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery.min.js?v=ff152
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/js/lib/jquery-postmessage.min.js?v=98c73
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/plugin-detect/plugin-detect.min.js?v=6a394
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/js/page/preauth.js?v=154e6
[REQUEST] GET for resource https://api-da6f62f9.duosecurity.com/frame/static/shared/lib/jquery/jquery-epilogue.js?v=c4ac5
[PAGE ] Finished loading page https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ
[SAML ] No headers in response, searching body for xml comments
[SAML ] Found comment in response body: ' CSS '
[SAML ] Found comment in response body: ' Javascript '
[SAML ] Finished parsing response body for https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ
[REQUEST] POST for resource https://api-da6f62f9.duosecurity.com/frame/frameless/v4/auth?sid=frameless-bde1f720-5509-4af0-9c20-6ea786bba8ee&tx=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJkdW9fdW5hbWUiOiJzaWdfYWJlY2tlciIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfdHlwZSI6ImNvZGUiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvc3NvLm9ha2xhbmQuZWR1XC9pZHBcL3Byb2ZpbGVcL0F1dGhuXC9EdW9cLzJGQVwvZHVvLWNhbGxiYWNrIiwic3RhdGUiOiJlZjQ3NDgzZThkOGIyNTkwNjRhNjM2ODUxMjQzZGIzYS42NTMxNzMzMiIsImV4cCI6MTY5MjcxNjc3MCwiY2xpZW50X2lkIjoiRElIVk80M1Q2QzhTTFRLUUhLSEkifQ.u1Wx6uocGc5k50Hh3f6RUNPnafokZlxAAsS_yIXLtzF2GwR1SuzapuVzatajhrfZyM9ITm2txoplj-m0DTYyMQ
[PAGE ] Finished loading page https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s2&_eventId_proceed=1
[SAML ] No headers in response, searching body for xml comments
[SAML ] Finished parsing response body for https://sso.oakland.edu/idp/profile/SAML2/POST/SSO?execution=e1s2&_eventId_proceed=1
[REQUEST] POST for resource https://grizzvpn.oakland.edu/SAML20/SP/ACS
[PAGE ] Finished loading page https://grizzvpn.oakland.edu/SAML20/SP/ACS
[SAML ] Got SAML result headers: {'prelogin-cookie': $COOKIE', 'saml-auth-status': '1', 'saml-slo': 'yes', 'saml-username': '$USER'}
[SAML ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.
SAML response converted to OpenConnect command line invocation:
echo $COOKIE |
sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin grizzvpn.oakland.edu
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py --user=$USER --clientos=Windows -p '' \
https://grizzvpn.oakland.edu/global-protect/getconfig.esp prelogin-cookie=$COOKIE
The message about the cookie being for the gateway interface was interesting. I went ahead with portal invocation:
sshuser at oakvpn:~$ echo $COOKIE | sudo /vpn/openconnect-master/openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin --verbose grizzvpn.oakland.edu
POST https://grizzvpn.oakland.edu/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 141.210.72.2:443
Connected to 141.210.72.2:443
SSL negotiation with grizzvpn.oakland.edu
Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 22 Aug 2023 14:12:05 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 6720
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=f651bcbf-da14-4fb3-abc5-6a5b490d376f; Path=/; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (6720)
Destination form field prelogin-cookie was specified; assuming SAML POST authentication is complete.
Enter login credentials
POST https://grizzvpn.oakland.edu/global-protect/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 22 Aug 2023 14:12:05 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 11408
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=a647e797-4e98-4e9c-b79b-7c3c3663ba36; Path=/; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (11408)
Portal reports GlobalProtect version 6.1.1-5; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
OU_VPN_Gateway (grizzvpn.oakland.edu)
Please select GlobalProtect gateway.
GATEWAY: [OU_VPN_Gateway]:OU_VPN_Gateway
POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 22 Aug 2023 14:12:05 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 69
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=a647e797-4e98-4e9c-b79b-7c3c3663ba36; Path=/; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (69)
Failed to parse non-XML server response
Response was: Error: Login fails (invalid session id)
Failed to complete authentication
OK, that didn't work. Since the cookie is no good any more, I ran gp-saml-gui again with the portal option to get a new cookie, and then tried openconnect again with the gateway invocation:
sshuser at oakvpn:~$ echo $COOKIE | sudo /vpn/openconnect-master/openconnect --protocol=gp '--useragent=PAN GlobalProtect' --allow-insecure-crypto --user=$USER --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin --verbose grizzvpn.oakland.edu
POST https://grizzvpn.oakland.edu/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 141.210.72.2:443
Connected to 141.210.72.2:443
SSL negotiation with grizzvpn.oakland.edu
Connected to HTTPS on grizzvpn.oakland.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 22 Aug 2023 14:21:35 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 497
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (497)
Enter login credentials
POST https://grizzvpn.oakland.edu/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 22 Aug 2023 14:21:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 69
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (69)
Failed to parse non-XML server response
Response was: Error: Login fails (invalid session id)
Failed to complete authentication
I hope that's helpful. Please let me know if you need additional information.
Thanks!
Anthony
On 8/21/23, 5:20 PM, "Daniel Lenski" <dlenski at gmail.com <mailto:dlenski at gmail.com>> wrote:
CAUTION: This email originated from outside of SIG. Exercise caution when opening attachments or clicking links, especially from unknown senders.
On Thu, Aug 17, 2023 at 11:04 AM Anthony Becker <abecker at sigcorp.com <mailto:abecker at sigcorp.com>> wrote:
> Hi Daniel –
>
> Here is the openconnect version output:
>
> sshuser at oakvpn:~$ openconnect --version
> OpenConnect version v8.20-1
> Using GnuTLS 3.7.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
> Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
> Default vpnc-script (override with --script): /usr/share/vpnc-scripts/vpnc-script
>
> Neither “--clientos=Windows” nor “--usergroup=gateway:prelogin-cookie” worked for me – I received the same error messages as before.
Got it.
Subsequent to the v8.20 release, we've made several small improvements
to the GlobalProtect authentication-handling code. In particular,
https://gitlab.com/openconnect/openconnect/-/commit/51586b29 <https://gitlab.com/openconnect/openconnect/-/commit/51586b29>.
14:15 $ git log --decorate=no --oneline v8.20..v9.12 auth-globalprotect.c
https://gitlab.com/openconnect/openconnect/-/commit/bf4338c6 <https://gitlab.com/openconnect/openconnect/-/commit/bf4338c6> Ignore
blank labels sent in GlobalProtect prelogin
https://gitlab.com/openconnect/openconnect/-/commit/c0d2daea <https://gitlab.com/openconnect/openconnect/-/commit/c0d2daea> Save
GlobalProtect version reported by portal and parrot it back as client
version
https://gitlab.com/openconnect/openconnect/-/commit/27284f83 <https://gitlab.com/openconnect/openconnect/-/commit/27284f83> Prevent
crash on unexpected response for GlobalProtect portal prelogin XML
https://gitlab.com/openconnect/openconnect/-/commit/ce214b87 <https://gitlab.com/openconnect/openconnect/-/commit/ce214b87> Expand
comment about potentially-useful information in GP portal
configuration
https://gitlab.com/openconnect/openconnect/-/commit/9164e21e <https://gitlab.com/openconnect/openconnect/-/commit/9164e21e> Clearer
error message when GlobalProtect portal configuration contains no
gateways at all
https://gitlab.com/openconnect/openconnect/-/commit/51586b29 <https://gitlab.com/openconnect/openconnect/-/commit/51586b29> GP: add
'internal=no' flag to the login and configuration requests
https://gitlab.com/openconnect/openconnect/-/commit/07386df8 <https://gitlab.com/openconnect/openconnect/-/commit/07386df8> No
embedded URLs in translatable strings
https://gitlab.com/openconnect/openconnect/-/commit/c58464a8 <https://gitlab.com/openconnect/openconnect/-/commit/c58464a8> Declare C
string constants using array syntax
https://gitlab.com/openconnect/openconnect/-/commit/ff13a983 <https://gitlab.com/openconnect/openconnect/-/commit/ff13a983> GP SAML:
support legacy workflow
https://gitlab.com/openconnect/openconnect/-/commit/3d0a3247 <https://gitlab.com/openconnect/openconnect/-/commit/3d0a3247> GP SAML:
handle redirect case
https://gitlab.com/openconnect/openconnect/-/commit/a287bc00 <https://gitlab.com/openconnect/openconnect/-/commit/a287bc00> GP SAML:
fix some memory handling
https://gitlab.com/openconnect/openconnect/-/commit/c4c813ec <https://gitlab.com/openconnect/openconnect/-/commit/c4c813ec> start
adding GP SSO support
There's no guarantee that any of this will make a difference for your
issue (as I said before, I haven't seen that exactly error message),
but I would still recommend building and testing OpenConnect v9.12.
Please let us know if you get same/different results with v9.12.
Daniel
More information about the openconnect-devel
mailing list