On Thu, 2020-04-30 at 10:54 +0100, Dave Love wrote: > I don't know if this should really be a networkmaneger question or > not, > but this seems the most likely place to ask for a recipe. > > I've built backported packages for network-manager-openconnect to > support use with globalprotect (and Duo 2fa); see below. They work > under network-manager-gnome configured to use the GP gateway > straightforwardly via the GUI: authenticate with <password>,<otp- > code> > and connect. > > However I'd like to use the command line (nmcli), rather than raw > openconnect (which works), on remote systems. I'm used to doing that > with a less-reliable tcp-over-tcp openvpn service just by doing > nmcli --ask c up <config> > and authenticating. However, I can't get it working with > openconnect/GP. The doc isn't clear to me about the prompts I'm > seeing > and how to configure out what I don't need -- at least the a > certificate. I get this output, assuming the first prompt is for > <password>,<code>: > > Connected to HTTPS on *** > Got HTTP response: HTTP/1.1 502 Bad Gateway > Unexpected 502 result from server > Failed to obtain WebVPN cookie > Error: openconnect failed with status 1 > A password is required to connect to 'GP'. > Gateway (vpn.secrets.gateway): > A password is required to connect to 'GP'. > Cookie (vpn.secrets.cookie): > A password is required to connect to 'GP'. > Gateway certificate hash (vpn.secrets.gwcert): > Error: Connection activation failed: No valid secrets > > Can anyone advise?
The three secrets it's looking for there are the *result* of
authentication. Whatever you have to do with certificates, passwords,
SAML and 2FA aren't relevant; it just wants three things:
• The host you ended up authenticating to (after redirects, etc.).
• Hash of *its* SSL certificate.
• The 'cookie' that was the result of successful authentication.
Those are the things you get if you run 'openconnect --authenticate'.
Here's a script which will provide them to NetworkManager for you:
#!/bin/sh
HOST="$1"
if [ -z "$HOST" ]; then
HOST=vpn.example.com
fi
COOKIE=
eval `openconnect --user $LOGNAME $HOST --authenticate`
if [ -z "$COOKIE" ]; then
exit 1
fi
nmcli con up 'Example VPN' passwd-file /proc/self/fd/5 5<<EOF
vpn.secrets.cookie:$COOKIE
vpn.secrets.gwcert:$FINGERPRINT
vpn.secrets.gateway:$HOST
EOF
> If the backported packages are useful, Debian/Ubuntu is at
> <https://download.opensuse.org/repositories/home:/fx/> and EL6/EL7 is at
> <https://copr.fedorainfracloud.org/coprs/loveshack/openconnect/>. (The
> dwmw2 copr doesn't have recent versions for el6/7; there are many build
> attempts which are failing after a day, I think just because the tests
> won't run.
The COPR has been unreliable recently. Broken versions of http-parser,
ocserv, wine in Fedora updates have been a pain, and recently a lot of
builds seem to die when running out of disk space.
But there is a build of 8.09 for both el6 and el7.
https://copr-be.cloud.fedoraproject.org/results/dwmw2/openconnect/epel-6-x86_64/01356430-openconnect/
https://copr-be.cloud.fedoraproject.org/results/dwmw2/openconnect/epel-7-x86_64/01356430-openconnect/
> The rpms and dpkgs are built with the trojan in the same
> place for ease of documentation rather than using the dwmw2 PPA, but
> that make contravene Debian rules which I'm not up-to-date with. The
> PPA also doesn't have a recent enough network-manager-openconnect.)
Hm, is that just for EPEL or also for Fedora? Let's fix that in my COPR
too. What's missing?
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
