theinvisible
commented
4 years ago You can try to use the option "Always ask for OTP" in your VPN profile config.
Open Kalabaza opened 4 years ago
theinvisible
commented
4 years ago You can try to use the option "Always ask for OTP" in your VPN profile config.
Kalabaza
commented
4 years ago That option is already set, and does not make any difference.
amccre
commented
4 years ago I am not able to see the dialog box either. Have tried with 99.9.1052-1 & 99.9.1056-1.
virgula
commented
4 years ago Having the same issue here.
Operating System: Linux Mint 19.2 Kernel: Linux 5.3.0-45-generic
LOG: openfortigui.log abr 3 20:26:41 openfortiGUI::Debug: active-tab:: 0 abr 3 20:26:41 openfortiGUI::Debug: start vpn: "VPN-Corp" active-tab:: 0 abr 3 20:26:41 openfortiGUI::Debug: Start vpn:: "VPN-Corp" abr 3 20:26:41 openfortiGUI::Debug: add logger "/home/andre/.openfortigui/main.conf" abr 3 20:26:41 openfortiGUI::Debug: "start-vpn process::" "VPN-Corp" abr 3 20:26:41 openfortiGUI::Debug: "start-vpn process::config_file::" "/home/andre/.openfortigui/main.conf" abr 3 20:26:41 openfortiGUI::Debug: vpnManager::onClientConnected() abr 3 20:26:41 openfortiGUI::Debug: client api helo command:: 0 ::name:: "VPN-Corp" abr 3 20:26:41 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/andre/.openfortigui/vpnprofiles/VPN-Corp.conf" abr 3 20:26:41 openfortiGUI::Debug: vpnWorker::process::slot abr 3 20:26:41 openfortiGUI::Debug: 1585956401944 bytes avail:: 325 abr 3 20:26:42 openfortiGUI::Debug: client disconnected:: "VPN-Corp" abr 3 20:26:42 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "VPN-Corp" status 0 abr 3 20:26:42 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "VPN-Corp" ::status:: 0 abr 3 20:26:42 openfortiGUI::Debug: VPN process "VPN-Corp" error occurred! abr 3 20:26:42 openfortiGUI::Debug: VPN process "VPN-Corp" finished!
LOG: VPN-Corp.log INFO: Start tunnel. DEBUG: server_addr: XXX.XXX.XXX.XXX DEBUG: server_port: 10433 DEBUG: gateway_addr: XXX.XXX.XXX.XXX DEBUG: gateway_port: 10433 DEBUG: Setting min proto version to: 0x301 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway.
tanpd
commented
4 years ago From my experience: Go to ~/.openfortigui/logs/vpn then find your connection log. There you will see the SHA Digest string (trusted-cert). Copy it and paste it into the Certificate SHA in application.
theinvisible
commented
3 years ago Okay, it seems there is a bug with the "Always ask OTP" option, it only works when the password manager (kwallet, gnome keyring) option is enabled in openfortigui settings. Will look into this.
theinvisible
commented
3 years ago Possible fix added in latest commit & dev builds, maybe you can test
amccre
commented
3 years ago Possible fix added in latest commit & dev builds, maybe you can test
I installed build 1089 and now the windows pops up if I have "Always ask for OTP" checked. However, I am not able to log in.
I've tried various OTP delay settings from 0-12 seconds. I have added the OTP prompt string and also tried it without.
Just wondering if our setup is not so standard. Our Fortigate is setup with a single authentication and that authentication source is RADIUS. The RADIUS server validates the password against Active Directory, and if it matches, it then sends back a challenge "Please enter token code". The user enters the token and the response it sent back to the RADIUS server which validates it against our 2 factor token system. If it matches, it responds with success to the Fortigate. This all works fine with openfortivpn at the command line.
I seems like there isn't enough info in the logs to know what is wrong.
Here are the logs for openfortigui:
Jul 22 09:33:20 openfortiGUI::Debug: vpnClientConnection::sendCMD:: "
INFO: Start tunnel.
DEBUG: server_addr:
theinvisible
commented
3 years ago Okay, thanks for your test, unfortunately we dont have any setup like yours here for testing. Have you tried with openfortivpn to see if it works? With "always otp" option the password ist send together with the otp key, dont know really if this works for your setup. Without this option openfortigui tries to autodetect an otp request and sends the otp credentials separately. Would be interesting if you can test with openfortivpn as said.
amccre
commented
3 years ago Yes, it works fine with openfortivpn. I am realizing now, that my setup is a little different than the typical 2 factor Fortinet VPN. I am not using the Fortigate's 2 factor login options, just single authentication server (RADIUS) that instead of responding with "Access Reject" or "Access Accept", it responds to a correct password with "Access Challenge" and asks for a second password. If the second password is accepted, it responds with "Access Accept". The Fortigate just passes the challenge along. This works fine in both Forticlient VPN on windows and also openfortivpn on linux. I am not sure if openfortigui knows how to deal with a challenge after it sends the initial password. (See https://en.wikipedia.org/wiki/RADIUS#Authentication_and_authorization). This has been a fairly standard method of using 2 factor with RADIUS servers for a long time. It allows us to use the same tokens for multiple systems. Even if they don't support 2 factor, they usually support RADIUS, which should include support for a challenge-response. So the 2-factor part is handled by the RADIUS server instead of the Fortigate.
The text "Please enter token code" below was configured by me on the RADIUS server as the "challenge" text to prompt for the second password. openfortivpn seems to just pass it along and wait for input. After input, it connects no problem.
Here is the console output when connecting with openfortivpn:
xxxxxx@ubuntu:/etc$ sudo openfortivpn hq.xxxxxxxxxxxx.com:10443 -u xxxxxx -p xxxxxx --trusted-cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx WARN: You should not pass the password on the command line. Type it interactively or use a config file instead. INFO: Connected to gateway. Please enter token code INFO: Authenticated. INFO: Remote gateway has allocated a VPN. INFO: Got addresses: [xxx.xxx.xxx.xxx], ns [192.168.xxx.xxx, 192.168.xxx.xxx] INFO: Interface ppp0 is UP. INFO: Setting new routes... INFO: Adding VPN nameservers... INFO: Tunnel is up and running.
theinvisible
commented
3 years ago Okay, so "always otp" will not work for you as you need to submit password and otp token separately. The strange thing is that your "challenge text" does not show up in the openfortigui log. So the OTP window will never trigger in OpenFortiGUI and the auth/connection fails because he cant find your "otp prompt" text. Will have a look over the code again but thanks again for your feedback.
I tried using the prebuilt version of the application for Ubuntu 18.04 and also by compiling the source code and both attempts were not successful and I cannot connect to the VPN.
Here are the logs:
$ cat .openfortigui/logs/openfortigui.log Apr. 2 11:23:15 openfortiGUI::Debug: "start-main::" Apr. 2 11:23:15 openfortiGUI::Warning: QStandardPaths: XDG_RUNTIME_DIR not set, defaulting to '/tmp/runtime-root' Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnAddVPN_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnDeleteVPN_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnEditVPN_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnCopyVPN_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnAddGroup_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnDeleteGroup_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnEditGroup_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QMetaObject::connectSlotsByName: No matching signal for on_btnCopyGroup_clicked() Apr. 2 11:23:15 openfortiGUI::Warning: QObject::connect: No such signal vpnLogger::finished() Apr. 2 11:23:15 openfortiGUI::Warning: QObject::connect: No such signal vpnLogger::finished() Apr. 2 11:23:15 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/roberto/.openfortigui/vpnprofiles/PCC.conf" Apr. 2 11:23:15 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "PCC" Apr. 2 11:23:15 openfortiGUI::Warning: inotify_add_watch("/etc/openfortigui/vpnprofiles") failed: "No such file or directory" Apr. 2 11:23:15 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/roberto/.openfortigui/vpnprofiles/PCC.conf" Apr. 2 11:23:21 openfortiGUI::Debug: start vpn: "PCC" active-tab:: 0 Apr. 2 11:23:21 openfortiGUI::Debug: Start vpn:: "PCC" Apr. 2 11:23:21 openfortiGUI::Debug: add logger "/home/roberto/.openfortigui/main.conf" Apr. 2 11:23:21 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/roberto/.openfortigui/vpnprofiles/PCC.conf" Apr. 2 11:23:21 openfortiGUI::Debug: "start-vpn process::" "PCC" Apr. 2 11:23:21 openfortiGUI::Debug: "start-vpn process::config_file::" "/home/roberto/.openfortigui/main.conf" Apr. 2 11:23:21 openfortiGUI::Debug: vpnManager::onClientConnected() Apr. 2 11:23:21 openfortiGUI::Debug: client api helo command:: 0 ::name:: "PCC" Apr. 2 11:23:21 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/roberto/.openfortigui/vpnprofiles/PCC.conf" Apr. 2 11:23:21 openfortiGUI::Debug: vpnWorker::process::slot Apr. 2 11:23:21 openfortiGUI::Debug: 1585819401546 bytes avail:: 294 Apr. 2 11:23:21 openfortiGUI::Debug: client disconnected:: "PCC" Apr. 2 11:23:21 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "PCC" status 0 Apr. 2 11:23:21 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "PCC" ::status:: 0 Apr. 2 11:23:21 openfortiGUI::Debug: VPN process "PCC" error occurred! Apr. 2 11:23:21 openfortiGUI::Debug: VPN process "PCC" finished!
$ cat .openfortigui/logs/vpn/PCC.log INFO: Start tunnel. DEBUG: server_addr: XXX.XXX.XXX.XXX DEBUG: server_port: 10443 DEBUG: gateway_addr: XXX.XXX.XXX.XXX DEBUG: gateway_port: 10443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation succeeded. INFO: Connected to gateway.