search

arthepsy / pan-globalprotect-okta

PaloAlto Networks GlobalProtect VPN (integrated with OKTA) command-line client
101 stars 42 forks source link

prelogin.response: "Valid client certificate is required" #17

Closed lvml closed 4 years ago

lvml commented 5 years ago

Hi (and first of all thanks for your GP/Okta related efforts!),

I have access to a GP VPN portal of which there is a newer version now that also requires a second factor via Okta.

Trying your gp-okta.py script to address this, I run into the problem that the prelogin.response says "Valid client certificate is required" - and that is plausible since the non-Okta-using instance of the GP gateway also requires valid client certificates to be presented - which works fine when I do so with the "openconnect --certificate ..." option.

Could you support presenting a client certificate when requesting "https://vpn.example.com/global-protect/prelogin.esp"?

For completeness, the relevant part of the gp-okta.py output with "debug=1" I see:

[INFO] prelogin request
# prelogin.request:
https://vpn.example.com/global-protect/prelogin.esp
---
# prelogin.response:
status: 200
...
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Error</status>
<ccusername></ccusername>
<autosubmit></autosubmit>
<msg>Valid client certificate is required</msg>
<newmsg>Required client certificate not found. Please contact your IT 
administrator.</newmsg>
lvml commented 5 years ago

(I don't know much about the Python "requests" library, but would guess that using https://2.python-requests.org/en/master/user/advanced/#client-side-certificates could be sufficient, here?)

lvml commented 5 years ago

I meanwhile found that inserting s.cert = '/path/client.cert' after creating the "session" does actually work, and now only other issues with the authentication dance remain to be solved.

BTW: The warning at the linked python documentation page "The private key to your local certificate must be unencrypted. Currently, Requests does not support using encrypted keys." seems outdated - I am asked for a certificate decryption key if the certificate is encrypted, and decryption seems to work fine.

Leaving this issue open as a suggestion to add the client certificate support "officially".

coldcoff commented 5 years ago

@lvml: Everything is done in coldcoff/pan-globalprotect-okta, this will hopefully be merged along the following merge chain:

coldcoff/pan-globalprotect-okta -> aclindsa/pan-globalprotect-okta -> arthepsy/pan-globalprotect-okta

coldcoff commented 5 years ago

@aclindsa and myself agreed to bring this feature "back home" to @arthepsy with our combined PR https://github.com/arthepsy/pan-globalprotect-okta/pull/19