search

dlenski / gp-saml-gui

Interactively authenticate to GlobalProtect VPNs that require SAML
GNU General Public License v3.0
301 stars 70 forks source link

connection-type=notunnel (expected tunnel) #32

Closed aallrd closed 3 years ago

aallrd commented 3 years ago

Hello,

I am trying to connect to a GlobalProtect gateway with SAML authentication from my Fedora 34 workstation (all our other laptops are running Windows). The SAML authentication seems to work fine and the cookie is extracted, but the openconnect commands fails with the error Failed to obtain WebVPN cookie.

$ openconnect --version
OpenConnect version v8.10-6.fc34
Using GnuTLS 3.7.2. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
  1. SAML authentication (redacted GATEWAY and USERNAME) 
    
$ eval $( gp-saml-gui --gateway --clientos=Windows GATEWAY )
Looking for SAML auth tags in response to https://GATEWAY/ssl-vpn/prelogin.esp...
Got SAML REDIRECT, opening browser...
[PAGE   ] Finished loading page https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/saml2?SAMLRequest=lZJNb8IwDIb%2FSpV7m5CmXxGt1MFhSEyraLfDLlMIKURqEpakEz9%2FFDaNXZB2tPz6sf3ac8fUcKT16A96Iz5G4XxwUoN29JIowWg1NcxJRzVTwlHPaVs%2FrSmOED1a4w03Awhq54T10uiF0W5UwrbCfkouXjbrEhy8PzoK4X4wWzZMRYL7UJ0iNVpxirhRlJAYTliMYNvAetGCYHkeRWo2QX8Rg9lLHSnJrXGm90YPUouJAAuWx0WWoVAUPQ9JFmdhgRIexhnq02SLBMYETjthEKyWJXhHSb5LUpEmeZb2MUkTMuvzHedpkWaEZf1Z5twoVtp5pn0JMMKzEBUhJt0MUTyjCXkDQfNtwYPUO6n39%2F3aXkWOPnZdEzbPbQeCV2HdZcWzAFTzaUJ6aWxv7nAfy37MB9V%2FrZ7Dm4bVNfr7DdUX&RelayState=PskUAEXKg2A1MzcyNDliNWVhZjVhMTM4Yzc4YmMzMmJlZTY0OTA2NQ%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=eyPQIuYoBry%2BEaRRfg9%2FQynmUWFyGstKL6pUFjNWB2dOStn%2Bk%2FXsobcaE%2Ffuv%2FCCqRkJaw%2FWVtIpzFBV%2BnuPzFdMmWa9B6DSS5unET%2Fu2Uda5xStkuGSVkvgfMKGqxpaYiT0cq7DL3nyTZsUvCC5xgPr42LNbxE%2FVm5PNsK74QxaqhsamNjukLh0RwdZ4JPWvPx4FrdSKU9md5rwuq%2BDb8u2iPjJPPCGCS0gHcNkS8bpvD5GapP5YhQ2sreq6DROF%2BZUvUP4oZQ5ro8xwVk%2BdWd1oC6PGm9KIqYm8bleWgXqZ%2Flb3Iwf8RFO4iKl7G0yaO03oxHdRi88MwKTYk0fDg%3D%3D

(process:91394): libsoup-WARNING **: 13:22:08.196: gssapi step failed: No credentials were supplied, or the credentials were unavailable or inaccessible: SPNEGO cannot find mechanisms to negotiate [PAGE ] Finished loading page https://login.microsoftonline.com/9a839770-e9fc-4737-905c-370f65b0e224/login [PAGE ] Finished loading page https://GATEWAY/SAML20/SP/ACS [SAML ] Got SAML result headers: {'saml-username': 'USERNAME', 'prelogin-cookie': '/JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe', 'saml-slo': 'no', 'saml-auth-status': '1'} [SAML ] Got all required SAML headers, done.

SAML response converted to OpenConnect command line invocation:

echo /JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe |
    sudo openconnect --protocol=gp --user=USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin GATEWAY

SAML response converted to test-globalprotect-login.py invocation:

test-globalprotect-login.py --user=USERNAME --clientos=Windows -p '' \
     https://GATEWAY/ssl-vpn/login.esp prelogin-cookie=/JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe
2. Issuing `openconnect` command (redacted GATEWAY)

$ echo /JuUOCCnHwIXYYcRVLMpjakokE67Q2dF5VTNblR7p0wDHV0BBgE43UZ5Z8Y0zNbe | sudo openconnect --protocol=gp --user=USERNAME --os=win --usergroup=gateway:prelogin-cookie --passwd-on-stdin GATEWAY POST https://GATEWAY/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows Connected to 10.29.255.65:443 SSL negotiation with GATEWAY Connected to HTTPS on GATEWAY with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM) Enter login credentials POST https://GATEWAY/ssl-vpn/login.esp GlobalProtect login returned authentication-source=COMPANY.COM_AZURE-SAML_Auth-Prof GlobalProtect login returned connection-type=notunnel (expected tunnel) GlobalProtect login returned usually-equals-4=4 GlobalProtect login returned usually-equals-unknown=unknown Please report 1 unexpected values above (of which 1 fatal) to openconnect-devel@lists.infradead.org Failed to obtain WebVPN cookie



Do you know what could be the issue or how I could get some more logs?
aallrd commented 3 years ago

Here are the openconnect logs with --dump -vvv:

POST https://GATEWAY/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Attempting to connect to server 10.29.255.65:443
Connected to 10.29.255.65:443
SSL negotiation with GATEWAY
Connected to HTTPS on GATEWAY with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
> POST /ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows HTTP/1.1
> Host: GATEWAY
> User-Agent: PAN GlobalProtect
> 
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 24 Sep 2021 12:22:02 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 2120
Connection: keep-alive
ETag: "179a606ce514"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: CLIENTOS=V2luZG93cw%3D%3D; expires=Sat, 25-Sep-2021 12:22:02 GMT; Max-Age=86400; path=/
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Set-Cookie: PHPSESSID=a2d91e2566dc6da5119462847a7e004f; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (2120)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Success</status>
< <ccusername></ccusername>
< <autosubmit>false</autosubmit>
< <msg></msg>
< <newmsg></newmsg>
< <license>no</license>
< <authentication-message>Enter login credentials</authentication-message>
< <username-label>Username</username-label>
< <password-label>Password</password-label>
< <panos-version>1</panos-version>
< <saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
< <saml-auth-method>REDIRECT</saml-auth-method>
< <saml-request-timeout>600</saml-request-timeout>
< <saml-request-id>0</saml-request-id><saml-request>aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzlhODM5NzcwLWU5ZmMtNDczNy05MDVjLTM3MGY2NWIwZTIyNC9zYW1sMj9TQU1MUmVxdWVzdD1sWkxCYnNJd0RJWmZwY3E5VFVnS3BSR3QxTUZoU0V4RHROdGhseWxOWFlqVUppeEpKeDUlMkZGRGFOWFpCMnRQejdzJTJGM2JDeWY2N3NpTHdSJTJGMERqNEdjRDQ0OVoxMiUyRkpMSTBHQTFOOElweDdYb3dYRXZlVms4YlRpTkNEOWE0NDAwSFFvSzU4QjZaZlRTYURmMFlFdXduMHJDeTI2VG9ZUDNSOGN4M25lbUZ0MVlCTktIJTJGU25xQnd1blNKcWV4ekhESTVZU1hHNXhzU3hSc0RxUG9yUVlvYiUyQkl6dXlWam5vbHJYR205VVozU3NOSXdLbVlzelJKU0FocEs4TTRZVW1Za3FrTVdVTGEyYlFtUUdtTXg1MG9DdGFyREwyMzg0UzFkZEt5cGtsbmtEYUVBcXNsSkNsbGN6cWo4aXh6Ym9DMWRsNW9ueUZLNkNRa2FVampha0k1cFp6UU54UnN2eTE0VUxwUmVuJTJGZnIlMkZvcWN2eXhxcmJoOXJtc1VQQUsxbDFXUEF0UXZoZ241SmZHOXVZTzk3SGl4M3lVJTJGOWZxQmI1cG1GJTJCanY5JTJCUWZ3RSUzRCZSZWxheVN0YXRlPXV0QVVBRVhLZzJCaE1tUTVNV1V5TlRZMlpHTTJaR0UxTVRFNU5EWXlPRFEzWVRkbE1EQTBaZyUzRCUzRCZTaWdBbGc9aHR0cCUzQSUyRiUyRnd3dy53My5vcmclMkYyMDAxJTJGMDQlMkZ4bWxkc2lnLW1vcmUlMjNyc2Etc2hhMjU2JlNpZ25hdHVyZT1neVR0a0tibkV5aGx6QlVreXQzUUlYeSUyQkI1cE1FUm45THQ2QlFjM3clMkY5c0VQR3VJQ0JnbEE3NFZHZFgwZTVjWk9HcVBmaWd1QzNxdEFoUVgyWHRQaUxtJTJGdlM1MEo0JTJCSXoyMGxsUG9peFFQWFZjWmpZRklBbkpnTXJLTjRJaEVpSWpsaGp2S0Rla3VLYmZRa3lyTlRiRkdqVUZwdmd4VWw5eThnYXkya2JQajZ4MFRiWElkS2ZLek5oUldxTyUyRkUwYkQlMkZUTVhMU3EzWXJBb3NOdGtFVXRRcUxJR3RTSWRSZWpDOVNzUThsSkVYMThvT1ZXSFBHakF0V2VPMXVQd21JZDUxNDc5YzRGayUyRlFkQ3dldE9pUjhFNmglMkJmcyUyRm94d2g4NUk4eUtYTm9HT2dGS3RTaWVkUTh5MXFGOTNlN1RSQiUyQiUyRmlneEglMkZRJTJGbXFJUHZQd2FBZFpJdyUzRCUzRA==</saml-request><region>10.0.0.0-10.255.255.255</region>
< </prelogin-response>
Destination form field REDIRECT was specified; assuming SAML prelogin-cookie authentication is complete.
Prelogin form _login: "Username: " user(TEXT)=(null), "prelogin-cookie: " prelogin-cookie(PASSWORD)
Enter login credentials
POST https://GATEWAY/ssl-vpn/login.esp
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: GATEWAY
> User-Agent: PAN GlobalProtect
> Cookie: CLIENTOS=V2luZG93cw%3D%3D; PHPSESSID=a2d91e2566dc6da5119462847a7e004f
> X-Pad: 000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 275
> 
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&ipv6-support=yes&clientos=Windows&os-version=win&server=GATEWAY&computer=fedora&user=USERNAME&prelogin-cookie=gLx0VM%2bws27oFNHop18u9Bf8og0ZOJgIqHlPnqXPrJjuwva27%2bkzZnhSjDWJ2AAl
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 24 Sep 2021 12:22:02 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 742
Connection: keep-alive
ETag: "245b606ce514"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Set-Cookie: PHPSESSID=a059b51598bd697766d15b6e6947fde7; path=/; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (742)
< <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>f56543d9fbabbb7a8cc4c7486cf45560</argument><argument>e7d77c7fd962e271813ad1e58c9b62f84fed1fc1</argument><argument>GP-Gateway-COMPANY</argument><argument>USERNAME</argument><argument>COMPANY.COM_AZURE-SAML_Auth-Prof</argument><argument>vsys1</argument><argument>%28empty_domain%29</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>notunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument></argument><argument></argument><argument></argument><argument>4</argument><argument>unknown</argument><argument></argument></application-desc></jnlp>
GlobalProtect login returned authentication-source=COMPANY.COM_AZURE-SAML_Auth-Prof
GlobalProtect login returned connection-type=notunnel (expected tunnel)
GlobalProtect login returned usually-equals-4=4
GlobalProtect login returned usually-equals-unknown=unknown
Please report 1 unexpected values above (of which 1 fatal) to <openconnect-devel@lists.infradead.org>
Failed to obtain WebVPN cookie

Is the connection-type=notunnel (expected tunnel) value the un-expected and fatal one?

aallrd commented 3 years ago

Okay actually it seems we are using a special mode of GlobalProtect that is only meant as a user-id agent instead of a full VPN. This mode was already reported/documented by another user:

So in short: it works since we actually don't care about mounting the VPN and the user-id is actually registered on the GlobalProtect server even if the openconnect command fails.

dlenski commented 3 years ago

Yep, let's continue the discussion at https://gitlab.com/openconnect/openconnect/-/issues/81#note_686497723 :)