Juniper Pulse + hostchecker + pre-auth banner + Duo MFA + profiles?

Fri, 22 Feb 2019 09:14:42 -0800 

Our site uses the Juniper Pulse VPN, configured with a pre-auth banner
you must click through, requiring the host checker, requiring Duo MFA,
and using profiles.

Has anyone come up with a combination of openconnect and helper
utilities that will satisfy *all* of these dependencies?

The best I have been able to come up with relies on the juniper-vpn-py
helper scripts:

    https://github.com/russdill/juniper-vpn-py/

Specifically, I run it like this:

    $ ./juniper-vpn.py --host vpn.example.org --username myusername
--pass 123 --stdin DSID=%DSID% openconnect --juniper %HOST%
--cookie-on-stdin

The argument to --pass is the first 3 digits of the one-time passcode
I get from the Duo Mobile app; I used “123” as an example.)

When I run this, juniper-vpn.py first asks me for my password, and
then it asks for the secondary password (which is where I enter the
final 3 digits of the one-time passcode).

It’s convoluted, but it works, albeit with no DTLS support:

    reply: 'HTTP/1.1 200 OK\r\n'
    header: Content-type: text/html; charset=utf-8
    header: Set-Cookie: DSLastAccess=1547265626; path=/; Secure
    header: Connection: close
    header: Pragma: no-cache
    header: Cache-Control: no-store
    header: Expires: -1
    header: X-Frame-Options: SAMEORIGIN
    header: Strict-Transport-Security: max-age=31536000;
includeSubDomains; preload
    WARNING: Juniper Network Connect support is experimental.
    It will probably be superseded by Junos Pulse support.
    Connected to 1.2.3.4:443
    SSL negotiation with vpn.example.org
    Connected to HTTPS on vpn.example.org
    Set up UDP failed; using SSL instead
    Connected as 5.6.7.8, using SSL, with ESP disabled

The only problem is, now we are using profiles, which means that if I
connect to this profile:

    https://vpn.example.org/admin

I will get more network access than if I just connect to:

    https://vpn.example.org/

But I don’t see any way to specify profiles to either juniper-vpn.py
or to openconnect itself.

I filed a Github issue to see if there is any way I could help add
profile support:

    https://github.com/russdill/juniper-vpn-py/issues/29

…but the maintainer hasn’t responded to it.

Has anyone figured out a way to select Juniper Pulse profiles using
openconnect, potentially combined with other helper scripts?

If not, if someone could provide a rough description of the work that
needs to be done to support them (either in openconnect or
juniper-vpn-py), I’d be willing to take a crack at it, as we need this
functionality.

_______________________________________________
openconnect-devel mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to