-
Notifications
You must be signed in to change notification settings - Fork 42
-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication failure #2
Comments
If You receive That response is from Your OKTA via You need to get token from If You are sure that password is correct, then maybe You are in domain and username is something like |
Looks like I need to setup an MFA profile |
❯ ./gp-okta.py gp-okta.conf |
I think I know what's the issue. Currently, the script only supports google factor authentication. Maybe You are using different factor. If You could add |
[INFO] prelogin request |
Ok, so You are using OKTA factor, that's the issue. I have used only Google factor and that's what I implemented. I can try to change mine to OKTA factor and verify how it works. P.S. do You know what's the difference between Google and OKTA factors? |
Heh, it looks like it's completely the same... just a TOPT using OKTA application, not Google application. At least, from user experience. Will investigate a bit and update this issue. |
So, @nicksmoore, I've implemented also OKTA TOTP support. Make sure to change By the way, to use TOTP, you will need |
thank you for adding this, I'm curious of the level of effort it would require to add okta verify push factor? |
Can You verify that this works now (OKTA TOTP)? I'm not sure, haven't used this... would it be useful for You? What's the user experience, i.e., what do You need to do for push factor? |
I'm trying to obtain the base32 token but not quite sure how I don't see anywhere in the okta factor api calls. https://developer.okta.com/docs/api/resources/factors nimoore@C02PR08EG3QD ~/pan-globalprotect-okta master ./gp-okta.py gp-okta.conf 594 22:45:45 |
Just for some context, I used my API token which I knew wouldn't work but just to gen some output. |
You probably entered wrong secret. You must use TOTP secret, not token, which is in format "ABCDEFGHIJKLMNOP". You can get it when creating 2FA, by scanning it with normal QR code reader or by backing up the OTP program (if it allows). I use andOTP and it allows such thing. If You already have set up 2FA and don't know the OTP secret, You can reset it. Just did it for my colleage. He scanned QR code, wrote down the secret and then scanned it with normal OTP application. |
Just wanted to provide an update I was able to retrieve the TOTP secret but currently running into an issue with activating the TOTP factor through the API... I'll provide another update once I resolve this. |
I was able to extract the base32 secret and validate TOTP authentication through the Okta API, however when I run the script I'm still getting an authentication error. My suspicion here is that there is nothing in the conf file for the 6 digit passcode. When I authenticate through the API it must be in the body. curl -X POST https://0bin.net/paste/Nd4m0s77yaXnLdgx#TpbVhA45aOOqWOCTWqI3zA-aHkjP3cpZgqI20EkJPcd |
These have been very helpful https://developer.okta.com/reference/postman_collections/ |
It may just be easier to add functionality for push factor? |
@nicksmoore, I don't understand what are You trying to do.... If you know the TOTP secret, then my program will generate passcodes automatically and will make according API request. You just need to add TOTP secret in configuration file and that's it! Like, Of course, there is no way to add passcode in configuration file, because passcode changes every 60 seconds. passcode on Your phone (and in this software) is being generated by TOTP secret + current date. That's how 2FA TOTP works. I don't understand what You mean to achieve by "TOTP authentication through the Okta API". It is being done for You by this software! Can You explain what is Your goal? Can You provide output from this software, when You add TOTP secret? Previously You gave output with exception, which happened because You didn't specify TOPT secret, but token. What issues are You facing right now? |
❯ echo "aZiNrRjRzDgbOUAdij9TL+WGKVMkqPdeqckey30RcpdU6n1flBB5CWkwA0nCNvssH018QiVY1dq/aNLulDEdIpTVPJuV6SlVNgbBj1sGffdd+2sKXSBIKGd5YsfOabhykp2Sxu/i+2Q8c+ndTYH9jHT4WHh3vQkKuHH746Dh9K7lHo64XK4txJlbxBuDM2WdugSmTn6q2Brg5tTFiJotmhPgM0di1Srjkj1l3IuDGQW14jM3ZJ5EsgjOL4GUkGnZOFX09GiO0VhQHSksDK9vPnTVaU6BF2g61E4e+EG6VkGYe5c2MViv6CZqz+N75fIGvHdb2lO3NEjod9PzrIjXng==" | openconnect --protocol=gp -u "nmoore@omniex.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin https://vpn-lax.omniex.io |
@nicksmoore where did Your comments went? I was curious about it not working on Mac, as I also have one, not just for daily usage. Would like to fix it, if this really is an issue. Regarding Your latest issue, please, check README. I added it to known issues. Basically, You need to set P.S. there are a lot of new features (also that |
I believe the issue in the mac is I was running pyotp on version Python 2.7.14 (Mac) vs. Python 2.7.13 on Fedora. I will review the bug.nl issue later this evening. |
Pulled down the newest version updated bug.nl debug = 0 ❯ ./gp-okta.py gp-okta.conf |
@nicksmoore this was because |
|
|
When I was running connect w/o 2FA I had to run as root, but for some reason when I do here I get gp uknown protocol
|
Running openconnect as root to GP-GW w/o 2FA does not produce the same error.
|
@nicksmoore because in one case You run |
It's authenticated... I should have known as it was a permissions issue... |
So everything is good, we can close the ticket? |
please do, also please consider adding push factor 👍 |
ok, closing this issue and adding #6 for updates regarding push factor. |
Treat "Symantec VIP Access" as TOTP
I am currently using Okta/SAML authentication for both Mac and Windows clients are they are connecting fine. When I use globalconnect on my linux client it seems to bypass Okta/SAML and authenticate against the local db. When attempting to use this client I am getting the following.
[root@localhost]~/pan-globalprotect-okta# ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
err: okta auth request failed. status code: 401, text:
{"errorCode":"E0000004","errorSummary":"Authentication failed","errorLink":"E0000004","errorId":"oaeU1wwig8KQxqvCjiiefewKg","errorCauses":[]}
[root@localhost]~/pan-globalprotect-okta# more gp-okta.conf
debug = 0
vpn_url = https://..io
okta_url = https://****.okta.com
username = ****
password = ****
[root@localhost]~/openconnect# ./openconnect --protocol=gp ..io -vvv
Please enter your username and password
Username: xxx
Password:
POST https://xxx-xxx.xxxx.io/ssl-vpn/login.esp
Attempting to connect to server 69.75.20.146:443
Connected to xx.xx.xx.xx:443
SSL negotiation with xxx.xxx.io
Matched peer certificate subject name 'xxx-xxx.xxx.io'
Connected to HTTPS on xxx-xxx.xxx.io
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 625
Connection: keep-alive
ETag: "2bbc3-2346-5a72047f"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (625)
GlobalProtect login returned authentication-source=LOCAL
POST https://xxx-xxx.xxx.io/ssl-vpn/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1626
Connection: keep-alive
ETag: "2bbbd-1f3-5a72047f"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (1626)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
TCP_INFO rcv mss 1360, snd mss 1360, adv mss 1460, pmtu 1500
No MTU received. Calculated 1422 for ESP tunnel
POST https://xxx-xxx.xxxx.io/ssl-vpn/hipreportcheck.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 107
Connection: keep-alive
ETag: "2bbc0-6a6-5a72047f"
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self'
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (107)
Gateway says HIP report submission is needed.
WARNING: Server asked us to submit HIP report with md5sum 6097578a4cf144d77aab40121ac38119.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Parameters for incoming ESP: SPI 0xc918fd85
ESP encryption type AES-128-CBC (RFC3602) key 0xdbd208f7fb56379ce7c7c9a4afdf2f67
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0xae020d10daa6229640ba6eadffa5c46e6cd70078
Parameters for outgoing ESP: SPI 0x3050fc07
ESP encryption type AES-128-CBC (RFC3602) key 0x51f9e5cf3cebd260a3d0bd72eeb858a9
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0xab9b722294e681dfb26cdf49dd985fdf349c976c
Send ESP probes
Connected as 192.168.2.227, using SSL, with ESP in progress
Received ESP packet of 84 bytes
Accepting later-than-expected ESP packet with seq 1 (expected 0)
ESP session established with server
Received ESP packet of 84 bytes
Accepting expected ESP packet with seq 2
Received ESP packet of 84 bytes
Accepting expected ESP packet with seq 3
ESP tunnel connected; exiting HTTPS mainloop.
Sent ESP packet of 100 bytes
No work to do; sleeping for 10000 ms...
Sent ESP packet of 100 bytes
No work to do; sleeping for 6000 ms...
Send ESP probes for DPD
No work to do; sleeping for 5000 ms...
Received ESP packet of 84 bytes
Accepting expected ESP packet with seq 4
No work to do; sleeping for 10000 ms...
Sent ESP packet of 100 bytes
No work to do; sleeping for 9000 ms...
^CPOST https://xxx-xxx.xxx.io/ssl-vpn/logout.esp
SSL negotiation with xxx-xxx.omniex.io
Matched peer certificate subject name 'xxx-xxx.xxx.io'
Connected to HTTPS on xxx-xxx.xxx.io
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:48 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 259
Connection: keep-alive
ETag: "2bbc4-69f-5a72047f"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (259)
Logout successful
The text was updated successfully, but these errors were encountered: