Closed amccre closed 3 years ago
theinvisible
commented
4 years ago Hi,
as i have seen from openfortivpn there is already a "otp-prompt" var where you can define the search string for the OTP prompt. I will include this option in OpenFortiGUI so this should solve this problem.
amccre
commented
4 years ago Thanks, that's great! Looking forward to trying it out.
theinvisible
commented
4 years ago Hi,
there are now developer builds available for Debian/Ubuntu from latest master branch, maybe you want to give it a try: https://apt.iteas.at/iteas-dev/pool/main/o/openfortigui/
amccre
commented
4 years ago I install developer build "openfortigui_99.9.1056-1_amd64_bionic.deb ". I tried adding the text below to the main.conf and also to the
How do I go about defining the variable "otp-prompt"?
theinvisible
commented
4 years ago Best is you define via GUI in your VPN profile settings. The Parameter is "otp_prompt" in your VPN profile in [options] category.
amccre
commented
4 years ago Ok, I tried the various settings, but never see an OTP prompt. Even with "Always ask for OTP" set. Have tried with 99.9.1052-1 & 99.9.1056-1.
theinvisible
commented
4 years ago The OTP prompt should definitely come up, sure its not in the background or something?
amccre
commented
4 years ago No, it is not there anywhere. It goes immediately back to "Disconnected" after trying to connect.
Here is the log:
INFO: Start tunnel. DEBUG: server_addr: 216.151.27.50 DEBUG: server_port: 10443 DEBUG: gateway_addr: 216.151.27.50 DEBUG: gateway_port: 10443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation succeeded. INFO: Connected to gateway. INFO: Delaying OTP by 3 seconds...
May 31 11:31:57 openfortiGUI::Debug: "start-main::" May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnAddVPN_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnDeleteVPN_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnEditVPN_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnCopyVPN_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnAddGroup_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnDeleteGroup_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnEditGroup_clicked() May 31 11:31:57 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnCopyGroup_clicked() May 31 11:31:57 openfortiGUI::Warning: QObject::connect: No such signal vpnLogger::finished() May 31 11:31:57 openfortiGUI::Warning: QObject::connect: No such signal vpnLogger::finished() May 31 11:31:58 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/xxxxxx/.openfortigui/vpnprofiles/xxxxxx.conf" May 31 11:31:58 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "xxxxxx" May 31 11:31:58 openfortiGUI::Warning: inotify_add_watch("/etc/openfortigui/vpnprofiles") failed: "No such file or directory" May 31 11:31:58 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/xxxxxx/.openfortigui/vpnprofiles/xxxxxx.conf" May 31 11:32:02 openfortiGUI::Debug: start vpn: "xxxxxx" active-tab:: 0 May 31 11:32:02 openfortiGUI::Debug: Start vpn:: "xxxxxx" May 31 11:32:02 openfortiGUI::Debug: add logger "/home/xxxxxx/.openfortigui/main.conf" May 31 11:32:02 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/xxxxxx/.openfortigui/vpnprofiles/xxxxxx.conf" May 31 11:32:02 openfortiGUI::Debug: "start-vpn process::" "xxxxxx" May 31 11:32:02 openfortiGUI::Debug: "start-vpn process::config_file::" "/home/xxxxxx/.openfortigui/main.conf" May 31 11:32:02 openfortiGUI::Debug: vpnManager::onClientConnected() May 31 11:32:02 openfortiGUI::Debug: client api helo command:: 0 ::name:: "xxxxxx" May 31 11:32:02 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/xxxxxx/.openfortigui/vpnprofiles/xxxxxx.conf" May 31 11:32:02 openfortiGUI::Debug: vpnWorker::process::slot May 31 11:32:03 openfortiGUI::Debug: 1590949923019 bytes avail:: 22 May 31 11:32:03 openfortiGUI::Debug: vpnProcess::onObserverUpdate::status_update "xxxxxx" state 1 May 31 11:32:03 openfortiGUI::Debug: vpnProcess::onObserverUpdate::status_update2 "xxxxxx" state 1 May 31 11:32:03 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "xxxxxx" status 1 May 31 11:32:03 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "xxxxxx" ::status:: 1 May 31 11:32:11 openfortiGUI::Debug: 1590949931081 bytes avail:: 276 May 31 11:32:11 openfortiGUI::Debug: 1590949931482 bytes avail:: 37 May 31 11:32:15 openfortiGUI::Debug: client disconnected:: "xxxxxx" May 31 11:32:15 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "xxxxxx" status 0 May 31 11:32:15 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "xxxxxx" ::status:: 0 May 31 11:32:15 openfortiGUI::Debug: VPN process "xxxxxx" error occurred! May 31 11:32:15 openfortiGUI::Debug: VPN process "xxxxxx" finished!
theinvisible
commented
4 years ago There was a bug with "always otp" when not using a system password manager. Maybe you can try again?
I am unable to use two factor authentication because the wording of the challenge sent from our RADIUS server is different than what the code is looking for.
Our server responds with: Please enter token code
The openfortigui looks for 3 different things it appears (vpnlogger.cpp):
if(toLog.contains("2factor authentication token:") || toLog.contains("Two-factor authentication") || toLog.contains("one-time password"))
Since the response text really could be anything, would it be possible to make additional items to search for configurable in the VPN profile? Or if not that, could it be added to the main.conf file?
Also, I couldn't find anything in the logs with debug turned on where this text would logged. I found it by connecting using the command line with openfortivpn.
Thanks,
Aaron