OpenConnect returns list of 'gateway servers" how to respond?

scott-dunt commented 3 years ago

The install - start up works great. I get a pop up and get logged in, then Global Protect responds with a list of 'Gateway servers" and errors out with: "Resource temporarily unavailable"

How do I specific the gateway on teh command line, I have tried --gateway="US Centrral"

gp-saml-gui -S remote.precisionplanting.com --clientos=Windows --gateway='US Central'
usage: gp-saml-gui [-h] [--no-verify] [-C COOKIES | -K] [-g | -p] [-c CERT] [--key KEY] [-v | -q] [-x | -P | -S] [-u] [--clientos {Windows,Linux,Mac}] [-f EXTRA]
                   server [openconnect_extra [openconnect_extra ...]]
gp-saml-gui: error: argument -g/--gateway: ignored explicit argument 'US Central'

Log of connection attempt:

gp-saml-gui -S remote.precisionplanting.com --clientos=Windows              
Looking for SAML auth tags in response to https://remote.precisionplanting.com/global-protect/prelogin.esp...
Got SAML REDIRECT, opening browser...                                                                    
[PAGE   ] Finished loading page https://login.microsoftonline.com/<snip>                                       
[PAGE   ] Finished loading page https://remote.precisionplanting.com/SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': 'SDxxx@XXXXXXXXXXXXXXXX.com', 'prelogin-cookie': 'R/4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLl', 'saml-slo': 'no', 'saml-auth-status': '1
'}                                                                                                                                                                                                                 
[SAML   ] Got all required SAML headers, done.                                                           
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.

SAML response converted to OpenConnect command line invocation:                                          

    echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |                                                                                                                                        
        sudo openconnect --protocol=gp --user=SDunt@xxxxxxxxxxxxxxxxx.com --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.precisionplanting.com                                               

SAML response converted to test-globalprotect-login.py invocation:                

    test-globalprotect-login.py --user=SDxxx@xxxxxxxxxxxxxxxxx.com --clientos=Windows -p '' \                                                                                                                               https://remote.precisionplanting.com/global-protect/getconfig.esp prelogin-cookie=R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl

Launching OpenConnect with sudo, equivalent to:                                                          
    echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |                                                                                                                                        
        sudo openconnect --protocol=gp --user=SDxxx@xxxxxxxxxxxxxxxxx.com --os=win --usergroup=portal:prelogin-cookie --passwd-on-stdin remote.precisionplanting.com
POST https://remote.precisionplanting.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to xxx.xxx.xx.xx:443                                                                           
SSL negotiation with remote.precisionplanting.com                                                                                                                                                                  
Connected to HTTPS on remote.precisionplanting.com
SAML login is required via REDIRECT to this URL:
        https://login.microsoftonline.com/<snip>
Enter login credentials
POST https://remote.precisionplanting.com/global-protect/getconfig.esp
21 gateway servers available:
  France North (fr-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US West (us-west-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Canada West (canada-west-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Germany Central (germany-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US East (us-east-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US Southeast (us-southeast-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  US Central (us-central-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Canada East (canada-east-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Andorra (andorra-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Bulgaria (bulgaria-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Croatia (croatia-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  France South (france-south-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Germany North (germany-north-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Hungary (hungary-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Moldova (moldova-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Romania (romania-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Ukraine (ukraine-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Canada Central (canada-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Argentina (argentina-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Brazil East (brazil-east-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
  Brazil Central (brazil-central-precisio.gp2j22jyc2c.gw.gpcloudservice.com)
Please select GlobalProtect gateway.
GATEWAY: [France North|US West|Canada West|Germany Central|US East|US Southeast|US Central|Canada East|Andorra|Bulgaria|Croatia|France South|Germany North|Hungary|Moldova|Romania|Ukraine|Canada Central|Argentina
|Brazil East|Brazil Central]:fgets (stdin): Resource temporarily unavailable

qups commented 3 years ago

I had this problem too, but I found on https://www.infradead.org/openconnect/globalprotect.html that you can try

--authgroup=GatewayName

(I used this in conjunction with --portal). That didn't work for me, but in the end I just directly connected to the gateway with something that looks like this:

gp-saml-gui -P --gateway campus.vpn.berkeley.edu

dlenski commented 3 years ago

How do I specific the gateway on teh command line, I have tried --gateway="US Centrral"

The --gateway argument here means "do SAML authentication via the gateway, not the portal.”

It does not mean, “choose the gateway named XYZ after doing SAML authentication via the portal.” That would be option #2 below.

The GlobalProtect authentication handoff between portal/gateway is an incoherent mess, and I don't have access to enough combinations of servers to figure out how to automate them all fully. :man_shrugging:

Depending on what your particular server(s) accept, you might want one of the following…

You could go straight to the gateway like this:

gp-saml-gui -S --clientos=Windows --gateway us-central-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com

You can use gp-saml-gui's ability to pass arbitrary additional options to openconnect (did you read --help?) which seems to be what you are trying to do…
```
gp-saml-gui -S --clientos=Windows remote.precisionplanting.com -- --authgroup="US Central"
```

You could also take the IMPORTANT: warning into account, and modify the output to deliver the cookie straight to a gateway instead of resubmitting the cookie to the portal interface:

echo R/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl |                                                                                                                                                                                                                                  
    sudo openconnect --protocol=gp --user=SDxxx@xxxxxxxxxxxxxxxxx.com --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin us-central-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com

dlenski commented 3 years ago

What @qups is suggesting is my “option 1.”

Skipping the portal entirely is always the sanest option, assuming your VPN's authentication is set up in such a way that it's possible.

Your VPN appears to be such a VPN, because https://us-central-g-precisio.gp2j22jyc2c.gw.gpcloudservice.com/ssl-vpn/prelogin.esp contains SAML tags. So that's the sane choice here.

dlenski commented 3 years ago

I had this problem too, but I found on https://www.infradead.org/openconnect/globalprotect.html that you can try

--authgroup=GatewayName

(I used this in conjunction with --portal). That didn't work for me, but in the end I just directly connected to the gateway with something that looks like this:

You can use this in conjuction with gp-saml-gui --portal. Simply add -- --authgroup=Whatever to the end of the gp-saml-gui CLI, and it'll pass along that argument to openconnect.

scott-dunt commented 3 years ago

Thanks to @qups that solved it.. Connecting to the gateway directly does the trick

gp-saml-gui -S --gateway us-central-g-xxxxxxxxxxxxxxxxxxxxxxxxervice.com

dlenski / gp-saml-gui

OpenConnect returns list of 'gateway servers" how to respond? #27