search

vlaci / openconnect-sso

Wrapper script for OpenConnect supporting Azure AD (SAMLv2) authentication to Cisco SSL-VPNs
GNU General Public License v3.0
280 stars 119 forks source link

Error on connection, help wanted to where start troubleshoot #47

Open K4S1 opened 3 years ago

K4S1 commented 3 years ago

Hi,

Have installed openconnect-sso via AUR.

openconnect-sso 0.6.1 OS: ArcoLinux Kernel: 5.11.5-arch1-1
Shell: zsh 5.8 DE: Plasma 5.21.2

I hope for a bit of a push in the troubleshooting direction, because I'm not really sure where to start here :-/ I have some issues with after authentication getting following error: Authentication looks okay when running through Azure auth.

[info     ] Browser exited                 [openconnect_sso.browser.browser] 
Traceback (most recent call last):
  File "/home/ksadmin/.local/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
    auth_response = await authenticate_to(
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 44, in authenticate
    response = self._complete_authentication(auth_request_response, sso_token)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 81, in _complete_authentication
    return parse_response(response)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 142, in parse_response
    return parse_auth_complete_response(xml)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 187, in parse_auth_complete_response
    auth_message=xml.auth.message,
  File "src/lxml/objectify.pyx", line 231, in lxml.objectify.ObjectifiedElement.__getattr__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: message
K4S1 commented 3 years ago

Just found I was running on an older version. Sorry. Installed Via pipx and now have 0.7 and tried via AUR image image

But when I run openconnect-sso --version it tells 0.6.1 :-/

But sadly get same error:

[info     ] Browser exited                 [openconnect_sso.browser.browser] 
Traceback (most recent call last):
  File "/home/ksadmin/.local/bin/openconnect-sso", line 8, in <module>
    sys.exit(main())
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
    auth_response = await authenticate_to(
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 44, in authenticate
    response = self._complete_authentication(auth_request_response, sso_token)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 81, in _complete_authentication
    return parse_response(response)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 142, in parse_response
    return parse_auth_complete_response(xml)
  File "/home/ksadmin/.local/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 187, in parse_auth_complete_response
    auth_message=xml.auth.message,
  File "src/lxml/objectify.pyx", line 231, in lxml.objectify.ObjectifiedElement.__getattr__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: message
K4S1 commented 3 years ago

okay sorry for spam here found that I had 6.0.1 installed with pip removed that and installed on new with AUR.

Got to the version 0.7. But seems like I still get som error I'm not sure where to get further with :( image

Traceback (most recent call last):
  File "/usr/bin/openconnect-sso", line 33, in <module>
    sys.exit(load_entry_point('openconnect-sso==0.7.0', 'console_scripts', 'openconnect-sso')())
  File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
    auth_response = await authenticate_to(
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 44, in authenticate
    response = self._complete_authentication(auth_request_response, sso_token)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 81, in _complete_authentication
    return parse_response(response)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 142, in parse_response
    return parse_auth_complete_response(xml)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 187, in parse_auth_complete_response
    auth_message=xml.auth.message,
  File "src/lxml/objectify.pyx", line 231, in lxml.objectify.ObjectifiedElement.__getattr__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: message
vlaci commented 3 years ago

It seams that your VPN doesn!t send a message node upon authentication. Could you try modifying /usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py: change this line https://github.com/vlaci/openconnect-sso/blob/27b87603fa31cfedaf1a1ece4e39305f8b5aa3f5/openconnect_sso/authenticator.py#L187 to look like this:

auth_message=getattr(xml.auth, "message", ""),

I'll release an updated version if it works for you.

K4S1 commented 3 years ago

Hi,

Thanks for the pointer :-) But seems to be wrong with the 188 now on the session-token :-/

[info     ] Browser exited                 [openconnect_sso.browser.browser]
Traceback (most recent call last):
  File "/usr/bin/openconnect-sso", line 33, in <module>
    sys.exit(load_entry_point('openconnect-sso==0.7.0', 'console_scripts', 'openconnect-sso')())
  File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
    auth_response = await authenticate_to(
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 44, in authenticate
    response = self._complete_authentication(auth_request_response, sso_token)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 81, in _complete_authentication
    return parse_response(response)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 142, in parse_response
    return parse_auth_complete_response(xml)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 188, in parse_auth_complete_response
    session_token=xml["session-token"],
  File "src/lxml/objectify.pyx", line 289, in lxml.objectify.ObjectifiedElement.__getitem__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: session-token
K4S1 commented 3 years ago

Found that there was a Debug Level on your connector. Guess this output helps more :)

[info     ] Browser exited                 [openconnect_sso.browser.browser]
[debug    ] Sending auth finish request    [openconnect_sso.authenticator] content=b'<?xml version=\'1.0\' encoding=\'UTF-8\'?>\n<config-auth client="vpn" type="auth-reply" aggregate-auth-version="2">\n  <version who="vpn">4.7.00136</version>\n  <device-id>linux-64</device-id>\n  <session-token/>\n  <session-id/>\n  <opaque is-for="sg">\n    <auth-method>single-sign-on-v2</auth-method>\n  </opaque>\n  <auth>\n    <sso-token>***I HAVE REMOVED***</sso-token>\n  </auth>\n</config-auth>\n'
https://***I HAVE REMOVED***:443 "POST / HTTP/1.1" 200 454
[debug    ] Auth finish response received  [openconnect_sso.authenticator] content=b'<?xml version="1.0" encoding="UTF-8"?>\n<config-auth client="vpn" type="complete">\n<version who="sg">0.1(1)</version>\n<auth id="success">\n<title>SSL VPN Service</title></auth>\n<config client="vpn" type="private"><vpn-profile-manifest><vpn rev="1.0"><file type="profile" service-type="user"><uri>/profiles//config/profile.xml</uri><hash type="sha1">***I HAVE REMOVED***</hash></file></vpn></vpn-profile-manifest>\n</config></config-auth>'
Traceback (most recent call last):
  File "/usr/bin/openconnect-sso", line 33, in <module>
    sys.exit(load_entry_point('openconnect-sso==0.7.0', 'console_scripts', 'openconnect-sso')())
  File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
    return app.run(args)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
    auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
  File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
    return future.result()
  File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 137, in _run
    auth_response = await authenticate_to(
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 44, in authenticate
    response = self._complete_authentication(auth_request_response, sso_token)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 81, in _complete_authentication
    return parse_response(response)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 142, in parse_response
    return parse_auth_complete_response(xml)
  File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 188, in parse_auth_complete_response
    session_token=xml["session-token"],
  File "src/lxml/objectify.pyx", line 289, in lxml.objectify.ObjectifiedElement.__getitem__
  File "src/lxml/objectify.pyx", line 450, in lxml.objectify._lookupChildOrRaise
AttributeError: no such child: `session-token
vlaci commented 3 years ago

Huhh, that's something I have not encountered yet. The authentication succeeds but doesn't send the token required to initiate the connection. Maybe an explicit user/tunnelgroup needs to be specified. Could you try the following?

Download the profile file from https://<vpn-address>/profiles//config/profile.xml and save it somewhere. Then try connecting using the -P -p /path/to/profile.xml command line switches.