Open piakbt opened 6 months ago
This line made me try to connect to the gateway directly:
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.
I do this and I have partial access. One resource is available, others not - so strange.
eval $( gp-saml-gui -S --gateway --clientos=Mac bb1.vpn.mycompany.com -- --csd-wrapper=/usr/libexec/openconnect/hipreport.sh )
Looking for SAML auth tags in response to https://bb1.vpn.mycompany.com/ssl-vpn/prelogin.esp...
Got SAML POST, opening browser...
Traceback (most recent call last):
File "/home/paul/.local/lib/python3.12/site-packages/gp_saml_gui.py", line 127, in on_load_changed
ct = h.get_content_type()
^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_content_type'
[PAGE ] Finished loading page https://mycompany.okta.com/app/panw_globalprotect/exkd9gesu3A19vjY6297/sso/saml
[PAGE ] Finished loading page https://mycompany.okta.com/login/sessionCookieRedirect
[PAGE ] Finished loading page https://bb1.vpn.mycompany.com/SAML20/SP/ACS
[SAML ] Got SAML result tags: {'saml-auth-status': '1', 'prelogin-cookie': '<token>', 'saml-username': 'mylogin@mycompany.com', 'saml-slo': 'no', 'saml-SessionNotOnOrAfter': None}
[SAML ] Got all required SAML headers, done.
SAML response converted to OpenConnect command line invocation:
echo <token> |
sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=mylogin@mycompany.com --os=mac-intel --usergroup=gateway:prelogin-cookie --passwd-on-stdin bb1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
SAML response converted to test-globalprotect-login.py invocation:
test-globalprotect-login.py --user=mylogin@mycompany.com --clientos=Mac -p '' \
https://bb1.vpn.mycompany.com/ssl-vpn/login.esp prelogin-cookie=<token>
Launching OpenConnect with sudo, equivalent to:
echo <token> |
sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=mylogin@mycompany.com --os=mac-intel --usergroup=gateway:prelogin-cookie --passwd-on-stdin bb1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
[sudo] password for paul:
Enter login credentials
GlobalProtect login returned unexpected argument value arg[21]=AWS-BB1
Please report 1 unexpected values above (of which 0 fatal) to <openconnect-devel@lists.infradead.org>
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
Set up UDP failed; using SSL instead
I am aware of this issue: https://github.com/dlenski/gp-saml-gui/issues/17 but I'm already using HIP report script.
Could you consider any solution please?
Hello!
Could you please help me with this? I'm getting error "fgets (stdin): Inappropriate ioctl for device".
The steps are: 1.
$ eval $( gp-saml-gui --portal --clientos=Mac aa1.vpn.mycompany.com -- --csd-wrapper=/usr/libexec/openconnect/hipreport.sh ) Looking for SAML auth tags in response to https://aa1.vpn.mycompany.com/global-protect/prelogin.esp... Got SAML POST, opening browser... Traceback (most recent call last): File "/home/paul/.local/lib/python3.12/site-packages/gp_saml_gui.py", line 127, in on_load_changed ct = h.get_content_type() ^^^^^^^^^^^^^^^^^^ AttributeError: 'NoneType' object has no attribute 'get_content_type' [PAGE ] Finished loading page https://mycompany.okta.com/app/panw_globalprotect/exk3s5nzpziXEw98A297/sso/saml [PAGE ] Finished loading page https://mycompany.okta.com/login/sessionCookieRedirect [PAGE ] Finished loading page https://aa1.vpn.mycompany.com//SAML20/SP/ACS [SAML ] Got SAML result headers: {'saml-username': 'mycompany\\mylogin', 'prelogin-cookie': '<token>', 'saml-slo': 'no', 'saml-auth-status': '1'} [SAML ] Got all required SAML headers, done. IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both. SAML response converted to OpenConnect command line invocation: echo <token> | sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' '--user=mycompany\mylogin' --os=mac-intel --usergroup=portal:prelogin-cookie --passwd-on-stdin aa1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh SAML response converted to test-globalprotect-login.py invocation: test-globalprotect-login.py --user='mycompany\mylogin' --clientos=Mac -p '' \ https://aa1.vpn.mycompany.com/global-protect/getconfig.esp prelogin-cookie=<token>
$ echo <token> | sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' '--user=mycompany\mylogin' --os=mac-intel --usergroup=portal:prelogin-cookie --passwd-on-stdin ab1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh POST https://aa1.vpn.mycompany.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Mac Connected to 11.111.111.11:443 SSL negotiation with aa1.vpn.mycompany.com Connected to HTTPS on aa1.vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Enter login credentials POST https://aa1.vpn.mycompany.com/global-protect/getconfig.esp Portal reports GlobalProtect version 6.1.1-5; we will report the same client version. Portal set HIP report interval to 60 minutes). 1 gateway servers available: bb1.vpn.mycompany.com (bb1.vpn.mycompany.com) Please select GlobalProtect gateway. GATEWAY: [bb1.vpn.mycompany.com]:bb1.vpn.mycompany.com POST https://bb1.vpn.mycompany.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Mac Connected to 2.22.22.222:443 SSL negotiation with bb1.vpn.mycompany.com Connected to HTTPS on bb1.vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Enter login credentials prelogin-cookie: fgets (stdin): Inappropriate ioctl for device
I'm having the same issue since a couple of days ago, the same error message at the end "fgets (stdin): Inappropriate ioctl for device" However I played a bit with the parameters and I found out that on Step 2 if I remove --passwd-on-stdin parameter then it will actually go through and authenticate, could you test if this works for you as well?
Hey @marvinhrivera ! Thanks for the reply. Ah, I get the same error without '--passwd-on-stdin' parameter.
Hello!
Could you please help me with this? I'm getting error "fgets (stdin): Inappropriate ioctl for device".
The steps are: 1.
2.