GlobalProtect VPN with SAML Authentication

[justin_brody]

Has anyone been able to successfully set this up? I've been poking at it for a bit but not having much luck.

Here's some things I have tried:

• Using the PanGpsUI. No luck, it wants QT5 webkit which is unsupported.
• Using PanGPS and the globalconnect command line. I get "Failed to connect to <remote_server>. Error: Default browser is not enabled"
• Using gp-saml-gui. This will let me login and perform 2 factor authentication. I get a message that says "Login Successful" but I don't get the expected message " Got SAML relevant headers, done". No variables seem to be set when run inside an eval

Any guidance would be appreciated!

[alamahant]

I found this

Code: Select all

Ubuntu Linux 

Install "network-manger-vpnc "
Config a  VPN type Cisco compatible (vpnc) 
Descripción -> Name
Gateway -> IP_gateway
Account -> <local_user> 
Password -> <Password> 
Use certificated -> NO 
Name of Group -> Name_VPN 
Secret  -> Name_of_Secret

Maybe install
net-vpn/vpnc
ant try to configure it thus.
See
https://live.paloaltonetworks.com/t5/ge ... d-p/316880
I was trying to locate .ovpn files and i got the above.

[justin_brody]

Thanks alamahant!
I should mention that this is a server I used to connect to fine using a configuration similar to what you posted. Unfortunately they switched the authentication mechanisms to that now SAML is required.

My understanding is that VPNC does not support this but OpenVPN does. From what I can tell, there's an extra step to get the information the needs to be passed to OpenVPN (the "SAML-relevant headers" that gp-saml-gui is looking for) and this is where I seem to be stuck...

[alamahant]

I dont know if it helpful but I found this
https://gpo.zugaina.org/net-vpn/globalp ... penconnect
And ot supports saml.
But it requires
dev-qt/qtwebengine
Oh-my-God!
But there are cli versions

Code: Select all

 eix openconnect
* acct-group/nm-openconnect
     Available versions:  0
     Description:         A group for net-vpn/networkmanager-openconnect

* acct-user/nm-openconnect
     Available versions:  0
     Description:         A user for net-vpn/networkmanager-openconnect

* net-vpn/networkmanager-openconnect
     Available versions:  1.2.8-r1 {gtk}
     Homepage:            https://wiki.gnome.org/Projects/NetworkManager https://gitlab.gnome.org/GNOME/NetworkManager-openconnect
     Description:         NetworkManager OpenConnect plugin

* net-vpn/openconnect
     Available versions:  9.01(0/5)^t (~)9.01-r1(0/5)^t **9999(0/5)*l^t {doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test}
     Homepage:            https://www.infradead.org/openconnect/
     Description:         Free client for Cisco AnyConn

and
https://linuxkamarada.com/en/2020/03/19 ... otect-vpn/

[salahx]

My workplace uses it too. Support exists in theory, but won't totally be realized until st least the next version of net-vpn/networkmanager-openconnect is released.: https://gitlab.gnome.org/GNOME/NetworkM ... equests/26

The main problem is the etworkmanager-openconnect needs to embed a browser within it to display the portal to get the cookie needed for the gateway

See https://www.infradead.org/openconnect/g ... otect.html for support.

[salahx]

I wrote an ebuild for a git prerelease snapshot.of netowrkmanager-openconnect. It was quite buggy for me (could connect to the portal but not the gateway, also needed the VPN settings opened to get the dialog box, in addition, you need to press Logiin on the auth dialog box to get the web page to appear)) , although it open up the web browser and ask for credential, I was able to login to the portal successfully.


Call it "networkmanager-openconnect-1.2.9_pre20220526.ebuild"

Code: Select all

# Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

EAPI=8

GNOME_ORG_MODULE="NetworkManager-${PN##*-}"
GIT_HASH="cb3dedbaf641e5dad6cfcda81b1bd9dd8fa4a840"

inherit gnome2

DESCRIPTION="NetworkManager OpenConnect plugin"
HOMEPAGE="https://wiki.gnome.org/Projects/NetworkManager https://gitlab.gnome.org/GNOME/NetworkManager-openconnect"
SRC_URI="https://gitlab.gnome.org/GNOME/${PN}/-/archive/${GIT_HASH}/${PN}-${GIT_HASH}.tar.bz2 -> ${P}.tar.bz2"

LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
IUSE="gtk"

DEPEND="
	>=net-misc/networkmanager-1.2:=
	>=dev-libs/glib-2.34:2
	>=dev-libs/dbus-glib-0.74
	dev-libs/libxml2:2
	>=net-vpn/openconnect-3.02:=
	gtk? (
		>=app-crypt/libsecret-0.18

		>=app-crypt/gcr-3.4:0=
		>=x11-libs/gtk+-3.12:3

		>=gui-libs/gtk-4.0:4
		>=net-libs/libnma-1.8.36

		net-libs/webkit-gtk
	)
"

RDEPEND="
	${DEPEND}
	acct-group/nm-openconnect
	acct-user/nm-openconnect
"

BDEPEND="
	sys-devel/gettext
	dev-util/intltool
	virtual/pkgconfig
"

src_unpack() {
	default
	mv "${GNOME_ORG_MODULE}-${GIT_HASH}" "${GNOME_ORG_MODULE}-${PV}" || die
}

src_prepare() {
	${S}/autogen.sh

	# Bug #830257
	sed -i 's|/appdata|/metainfo|g' Makefile.{in,am} || die

	default
}

src_configure() {
	gnome2_src_configure \
		--disable-more-warnings \
		--disable-static \
		--without-libnm-glib \
		$(use_with gtk gnome) \
		$(use_with gtk authdlg) \
		$(use_with gtk gtk4)
}

Upstream doesn't seem to be very active. The last non-translation commit was in May 2022 (unless development has moved elsewhere).

[pgu]

I'm sorry I don't follow all this, but why is a GUI required to connect to the VPN?

[salahx]

The authentication process with SAML can works something like this: When the user connected to the VPN, the server spits out a SAML REDIRECT to a web site to do the authentication. Once the authentication is completed, the web server returns a cookie need for the 2nd phase of authentication. The VPN client needs this cookie, and so an embedded web browser is opened to handle the redirect, the user performs the authentication, and then captures the cookie.

[pgu]

Thank you for the explanation. I guess a chromedriver/selenium could do the job for a CLI interface then.

[mimosinnet]

The authentication process with SAML can works something like this: When the user connected to the VPN, the server spits out a SAML REDIRECT to a web site to do the authentication. Once the authentication is completed, the web server returns a cookie need for the 2nd phase of authentication. The VPN client needs this cookie, and so an embedded web browser is opened to handle the redirect, the user performs the authentication, and then captures the cookie.

Thanks for the explanation. I have been able to access with SAML with net-vpn/openfortivpn and openfortivpn-webview.

Installation:

Code: Select all

root % emerge net-vpn/openfortivpn
user $ git clone git@github.com:gm-vm/openfortivpn-webview.git

Execution:

Code: Select all

#!/bin/zsh

webview=$(npm SERVER:PORT --prefix (openfortivpn-webview PATH)/openfortivpn-webview/openfortivpn-webview-electron)
cookie=$(echo $webview | grep SVPNCOOKIE | sed 's/SVPNCOOKIE//')

sleep 15

su -c "SERVER:PORT --cookie '$cookie'"

Cheers!

[cfgauss]

I was able to install release 2.1.0 of globalprotect-openconnect from source. It has a fix-openssl flag which I believe is necessary for my VPN server/VPN gateway/Gentoo box combination. Works like a charm.

[x_fight]

another script to retrieve token using external browser https://github.com/filippor/XdgOpenSaml

[jbaker4870]

This thread has provided good information in attempting to troubleshoot a user's Gentoo system with its connecting to a GlobalProtect vpn.

I was able to install release 2.1.0 of globalprotect-openconnect from source. It has a fix-openssl flag which I believe is necessary for my VPN server/VPN gateway/Gentoo box combination. Works like a charm.

cfgauss, is that with saml authentication for the portal and cookie accept for the gateway?