| View previous topic :: View next topic |
| Author |
Message |
justin_brody
Apprentice
Joined: 26 Jan 2005
Posts: 283
|
 Posted: Thu Dec 15, 2022 4:05 pm Post subject: GlobalProtect VPN with SAML Authentication |
 |
|
Has anyone been able to successfully set this up? I've been poking at it for a bit but not having much luck.
Here's some things I have tried:
- Using the PanGpsUI. No luck, it wants QT5 webkit which is unsupported.
- Using PanGPS and the globalconnect command line. I get "Failed to connect to <remote_server>. Error: Default browser is not enabled"
- Using gp-saml-gui. This will let me login and perform 2 factor authentication. I get a message that says "Login Successful" but I don't get the expected message " Got SAML relevant headers, done". No variables seem to be set when run inside an eval
Any guidance would be appreciated!
Last edited by justin_brody on Thu Dec 15, 2022 4:47 pm; edited 1 time in total |
|
| Back to top |
|
 |
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu Dec 15, 2022 4:29 pm Post subject: |
|
|
I found this
| Code: |
Ubuntu Linux
Install "network-manger-vpnc "
Config a VPN type Cisco compatible (vpnc)
Descripción -> Name
Gateway -> IP_gateway
Account -> <local_user>
Password -> <Password>
Use certificated -> NO
Name of Group -> Name_VPN
Secret -> Name_of_Secret
|
Maybe install
net-vpn/vpnc
ant try to configure it thus.
See
https://live.paloaltonetworks.com/t5/general-topics/open-vpn-client-for-globalprotect/td-p/316880
I was trying to locate .ovpn files and i got the above.
_________________
 |
|
| Back to top |
|
|
justin_brody
Apprentice
Joined: 26 Jan 2005
Posts: 283
|
| Posted: Thu Dec 15, 2022 4:42 pm Post subject: |
|
|
Thanks alamahant!
I should mention that this is a server I used to connect to fine using a configuration similar to what you posted. Unfortunately they switched the authentication mechanisms to that now SAML is required.
My understanding is that VPNC does not support this but OpenVPN does. From what I can tell, there's an extra step to get the information the needs to be passed to OpenVPN (the "SAML-relevant headers" that gp-saml-gui is looking for) and this is where I seem to be stuck... |
|
| Back to top |
|
|
alamahant
Advocate
Joined: 23 Mar 2019
Posts: 3879
|
| Posted: Thu Dec 15, 2022 4:47 pm Post subject: |
|
|
I dont know if it helpful but I found this
https://gpo.zugaina.org/net-vpn/globalprotect-openconnect
And ot supports saml.
But it requires
dev-qt/qtwebengine
Oh-my-God!
But there are cli versions
| Code: |
eix openconnect
* acct-group/nm-openconnect
Available versions: 0
Description: A group for net-vpn/networkmanager-openconnect
* acct-user/nm-openconnect
Available versions: 0
Description: A user for net-vpn/networkmanager-openconnect
* net-vpn/networkmanager-openconnect
Available versions: 1.2.8-r1 {gtk}
Homepage: https://wiki.gnome.org/Projects/NetworkManager https://gitlab.gnome.org/GNOME/NetworkManager-openconnect
Description: NetworkManager OpenConnect plugin
* net-vpn/openconnect
Available versions: 9.01(0/5)^t (~)9.01-r1(0/5)^t **9999(0/5)*l^t {doc +gnutls gssapi libproxy lz4 nls pskc selinux smartcard stoken test}
Homepage: https://www.infradead.org/openconnect/
Description: Free client for Cisco AnyConn
|
and
https://linuxkamarada.com/en/2020/03/19/how-to-connect-to-a-globalprotect-vpn/
_________________
|
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Mon Dec 19, 2022 11:30 pm Post subject: |
|
|
I wrote an ebuild for a git prerelease snapshot.of netowrkmanager-openconnect. It was quite buggy for me (could connect to the portal but not the gateway, also needed the VPN settings opened to get the dialog box, in addition, you need to press Logiin on the auth dialog box to get the web page to appear)) , although it open up the web browser and ask for credential, I was able to login to the portal successfully.
Call it "networkmanager-openconnect-1.2.9_pre20220526.ebuild"
| Code: | # Copyright 1999-2022 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
GNOME_ORG_MODULE="NetworkManager-${PN##*-}"
GIT_HASH="cb3dedbaf641e5dad6cfcda81b1bd9dd8fa4a840"
inherit gnome2
DESCRIPTION="NetworkManager OpenConnect plugin"
HOMEPAGE="https://wiki.gnome.org/Projects/NetworkManager https://gitlab.gnome.org/GNOME/NetworkManager-openconnect"
SRC_URI="https://gitlab.gnome.org/GNOME/${PN}/-/archive/${GIT_HASH}/${PN}-${GIT_HASH}.tar.bz2 -> ${P}.tar.bz2"
LICENSE="GPL-2+"
SLOT="0"
KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc64 ~riscv ~x86"
IUSE="gtk"
DEPEND="
>=net-misc/networkmanager-1.2:=
>=dev-libs/glib-2.34:2
>=dev-libs/dbus-glib-0.74
dev-libs/libxml2:2
>=net-vpn/openconnect-3.02:=
gtk? (
>=app-crypt/libsecret-0.18
>=app-crypt/gcr-3.4:0=
>=x11-libs/gtk+-3.12:3
>=gui-libs/gtk-4.0:4
>=net-libs/libnma-1.8.36
net-libs/webkit-gtk
)
"
RDEPEND="
${DEPEND}
acct-group/nm-openconnect
acct-user/nm-openconnect
"
BDEPEND="
sys-devel/gettext
dev-util/intltool
virtual/pkgconfig
"
src_unpack() {
default
mv "${GNOME_ORG_MODULE}-${GIT_HASH}" "${GNOME_ORG_MODULE}-${PV}" || die
}
src_prepare() {
${S}/autogen.sh
# Bug #830257
sed -i 's|/appdata|/metainfo|g' Makefile.{in,am} || die
default
}
src_configure() {
gnome2_src_configure \
--disable-more-warnings \
--disable-static \
--without-libnm-glib \
$(use_with gtk gnome) \
$(use_with gtk authdlg) \
$(use_with gtk gtk4)
} |
Upstream doesn't seem to be very active. The last non-translation commit was in May 2022 (unless development has moved elsewhere). |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Tue Dec 27, 2022 1:19 pm Post subject: |
|
|
| I'm sorry I don't follow all this, but why is a GUI required to connect to the VPN? |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 530
|
| Posted: Tue Dec 27, 2022 4:57 pm Post subject: |
|
|
| The authentication process with SAML can works something like this: When the user connected to the VPN, the server spits out a SAML REDIRECT to a web site to do the authentication. Once the authentication is completed, the web server returns a cookie need for the 2nd phase of authentication. The VPN client needs this cookie, and so an embedded web browser is opened to handle the redirect, the user performs the authentication, and then captures the cookie. |
|
| Back to top |
|
|
pgu
l33t
Joined: 30 Jul 2009
Posts: 721
Location: Oslo, Norway
|
| Posted: Fri Dec 30, 2022 10:53 am Post subject: |
|
|
| Thank you for the explanation. I guess a chromedriver/selenium could do the job for a CLI interface then. |
|
| Back to top |
|
|
mimosinnet
l33t
Joined: 10 Aug 2006
Posts: 713
Location: Barcelona, Spain
|
| Posted: Sat Dec 02, 2023 6:01 am Post subject: |
|
|
| salahx wrote: | | The authentication process with SAML can works something like this: When the user connected to the VPN, the server spits out a SAML REDIRECT to a web site to do the authentication. Once the authentication is completed, the web server returns a cookie need for the 2nd phase of authentication. The VPN client needs this cookie, and so an embedded web browser is opened to handle the redirect, the user performs the authentication, and then captures the cookie. |
Thanks for the explanation. I have been able to access with SAML with net-vpn/openfortivpn and openfortivpn-webview.
Installation:
| Code: | root % emerge net-vpn/openfortivpn
user $ git clone git@github.com:gm-vm/openfortivpn-webview.git |
Execution:
| Code: | #!/bin/zsh
webview=$(npm SERVER:PORT --prefix (openfortivpn-webview PATH)/openfortivpn-webview/openfortivpn-webview-electron)
cookie=$(echo $webview | grep SVPNCOOKIE | sed 's/SVPNCOOKIE//')
sleep 15
su -c "SERVER:PORT --cookie '$cookie'" |
Cheers!
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved.
Take care of the community answering unanswered posts. |
|
| Back to top |
|
|
cfgauss
l33t
Joined: 18 May 2005
Posts: 688
Location: USA
|
| Posted: Sat Mar 09, 2024 7:02 pm Post subject: |
|
|
| I was able to install release 2.1.0 of globalprotect-openconnect from source. It has a fix-openssl flag which I believe is necessary for my VPN server/VPN gateway/Gentoo box combination. Works like a charm. |
|
| Back to top |
|
|
|
Networking & Security
