Closed cubukun closed 9 months ago
ancwrd1
commented
1 year ago I have added some changes in the application, please pull the latest changes, recompile and try it with "login-type=vpn_mfa" in the config file (value taken from your dump) or with command line parameter "-o vpn_mfa".
Azure authentication with SAML is unfortunately not supported yet.
cubukun
commented
1 year ago Thanks, but I have changed the id on the dump file. It will be changed according to the configuration from the Checkpoint FW. Unfortunately my account only has access to the id “Authen_Auzre” which is SAML with Azure+MFA from authentication app that unsupported yet. As I know this type of authentication only support on Windows and MAC OS.
cubukun
commented
10 months ago Hi, thanks for keeping this project active. I can see you have implemented "Username/password authentication with Microsoft MFA Authenticator" and MFA from tty sudo ./snx-rs -o vpn_Authen_Azure -u $user -p $pwdd -s vpn.domain.com -H true -l trace returns the following log. Can you take a look if my command is correct or not?
server reply: (CCCserverResponse
:ResponseHeader (
:id (2)
:type (UserPass)
:session_id ()
:return_code (600)
)
:ResponseData (
:authn_status (done)
:is_authenticated (false)
:error_message (01405e5044575a3535653a5c652d594a4168262c44216522265c2b237268702b3759394320653a352c272c6c)
:error_id (010d7a1711161a031c177314671b151a190a171f6e)
:error_code (101)
)
)This error message is decoded to: Access denied - wrong user name or password
error id is: CPSC_SP_ACCESS_DENIED
ancwrd1
commented
10 months ago if you provide base64-encoded password the common mistake is that it includes end of line character also.
ancwrd1
commented
10 months ago But I see that you probably used Azure SAML, it will not currently work. It requires interactive SAML/OIDC workflow via the browser, extracting a session cookie and OTP from there, and then use it somehow to get the session key (and that's the part which I haven't figure out yet).
cubukun
commented
10 months ago Thanks for the quick response. Another method I would use is using a certificate. Any chance that this method is supported?
:id (certificate)
:secondary_realm_hash (xxxxx)
:display_name ("Certificate Auth")
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (any)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
:1 (
:factor_type (sms)
:securid_card_type ()
:certificate_storage_type ()
:custom_display_labels (
:header ("An SMS\Email with a verification code was sent to your phone\Email account and should arrive shortly. Please type the verification code")
:password ("Verification Code")
)
)
)I can add certificate authentication when I have a bit of time.
There are two things needed for it: 1) add a parameter to specify the client's keychain (certificate + private key) and 2) add CertAuth request.
ancwrd1
commented
10 months ago You could try perhaps the certauth branch. There is a new parameter added, --client-cert=<path> (or -y <path>) which enables certificate authentication instead of username/password.
You need to provide a path to a PEM file which contains private key and one or more certificates. It commonly has a structure like:
-----BEGIN PRIVATE KEY-----
<key>
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<cert>
-----END CERTIFICATE-----I will close the issue, the main branch now has MFA and certificate auth support. Azure SAML support is a whole different story.
{ "ResponseData": { "connectivity_info": { "client_enabled": false, "connect_with_certificate_url": "\"/clients/cert/\"", "connectivity_type": "IPSec", "cookie_name": "CPCVPN_SESSION_ID", "default_authentication_method": "mixed", "internal_ca_fingerprint": [ "……." ], "ipsec_transport": "auto_detect", "natt_port": xxxx, "server_ip": "x.x.x.x", "supported_data_tunnel_protocols": [ "IPSec", "SSL", "L2TP" ], "tcpt_port": 443 }, "end_point_security": { "ics": { "ics_base_url": "\"/clients/ICS/components\"", "ics_cab_url": "\"/clients/ICS/components/cl_ics.cab\"", "ics_cab_version": "\"996000036\n\"", "ics_images_url": "\"/clients/ICS/components/ICS_images.cab\"", "ics_images_ver": 403006000, "ics_upgrade_url": "\"/clients/ICS/components/icsweb.cab\"", "ics_version": 403006000, "run_ics": true } }, "login_options_data": { "login_options_list": [ { "display_name": "\"Office365\"", "factors": [ { "certificate_storage_type": "", "custom_display_labels": "", "factor_type": "identity_provider", "securid_card_type": "" } ], "id": "Authen_Azure", "secondary_realm_hash": "xxxxxxxxxx", "show_realm": 1 }, { "display_name": "\"username/password\"", "factors": [ { "certificate_storage_type": "", "custom_display_labels": { "header": "\"Please provide user name and password to authenticate\"", "password": "Password", "username": "\"User name\"" }, "factor_type": "password", "securid_card_type": "" } ], "id": "vpn_mfa", "secondary_realm_hash": "xxxx", "show_realm": 1 } ], "login_options_md5": "xxxxxxxx" }, "protocol_version": { "features": 1, "protocol_version": 100 }, "upgrade_configuration": { "available_client_version": 0, "client_upgrade_url": "", "upgrade_mode": "ask_user" } }, "ResponseHeader": { "id": 2, "return_code": 600, "session_id": "", "type": "ClientHello" } }