Authentication failure

[ghost]

I am currently using Okta/SAML authentication for both Mac and Windows clients are they are connecting fine. When I use globalconnect on my linux client it seems to bypass Okta/SAML and authenticate against the local db. When attempting to use this client I am getting the following.

[root@localhost]~/pan-globalprotect-okta# ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
err: okta auth request failed. status code: 401, text:
{"errorCode":"E0000004","errorSummary":"Authentication failed","errorLink":"E0000004","errorId":"oaeU1wwig8KQxqvCjiiefewKg","errorCauses":[]}

[root@localhost]~/pan-globalprotect-okta# more gp-okta.conf
debug = 0
vpn_url = https://..io
okta_url = https://****.okta.com
username = ****
password = ****

[root@localhost]~/openconnect# ./openconnect --protocol=gp ..io -vvv
Please enter your username and password
Username: xxx
Password:
POST https://xxx-xxx.xxxx.io/ssl-vpn/login.esp
Attempting to connect to server 69.75.20.146:443
Connected to xx.xx.xx.xx:443
SSL negotiation with xxx.xxx.io
Matched peer certificate subject name 'xxx-xxx.xxx.io'
Connected to HTTPS on xxx-xxx.xxx.io
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 625
Connection: keep-alive
ETag: "2bbc3-2346-5a72047f"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Set-Cookie: PHPSESSID=aaa1c727455ed2207ce42c05edf5b14f; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (625)
GlobalProtect login returned authentication-source=LOCAL
POST https://xxx-xxx.xxx.io/ssl-vpn/getconfig.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 1626
Connection: keep-alive
ETag: "2bbbd-1f3-5a72047f"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (1626)
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
TCP_INFO rcv mss 1360, snd mss 1360, adv mss 1460, pmtu 1500
No MTU received. Calculated 1422 for ESP tunnel
POST https://xxx-xxx.xxxx.io/ssl-vpn/hipreportcheck.esp
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:30 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 107
Connection: keep-alive
ETag: "2bbc0-6a6-5a72047f"
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self'
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (107)
Gateway says HIP report submission is needed.
WARNING: Server asked us to submit HIP report with md5sum 6097578a4cf144d77aab40121ac38119.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Parameters for incoming ESP: SPI 0xc918fd85
ESP encryption type AES-128-CBC (RFC3602) key 0xdbd208f7fb56379ce7c7c9a4afdf2f67
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0xae020d10daa6229640ba6eadffa5c46e6cd70078
Parameters for outgoing ESP: SPI 0x3050fc07
ESP encryption type AES-128-CBC (RFC3602) key 0x51f9e5cf3cebd260a3d0bd72eeb858a9
ESP authentication type HMAC-SHA-1-96 (RFC2404) key 0xab9b722294e681dfb26cdf49dd985fdf349c976c
Send ESP probes
Connected as 192.168.2.227, using SSL, with ESP in progress
Received ESP packet of 84 bytes
Accepting later-than-expected ESP packet with seq 1 (expected 0)
ESP session established with server
Received ESP packet of 84 bytes
Accepting expected ESP packet with seq 2
Received ESP packet of 84 bytes
Accepting expected ESP packet with seq 3
ESP tunnel connected; exiting HTTPS mainloop.
Sent ESP packet of 100 bytes
No work to do; sleeping for 10000 ms...
Sent ESP packet of 100 bytes
No work to do; sleeping for 6000 ms...
Send ESP probes for DPD
No work to do; sleeping for 5000 ms...
Received ESP packet of 84 bytes
Accepting expected ESP packet with seq 4
No work to do; sleeping for 10000 ms...
Sent ESP packet of 100 bytes
No work to do; sleeping for 9000 ms...
^CPOST https://xxx-xxx.xxx.io/ssl-vpn/logout.esp
SSL negotiation with xxx-xxx.omniex.io
Matched peer certificate subject name 'xxx-xxx.xxx.io'
Connected to HTTPS on xxx-xxx.xxx.io
Got HTTP response: HTTP/1.1 200 OK
Date: Mon, 27 Aug 2018 15:56:48 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 259
Connection: keep-alive
ETag: "2bbc4-69f-5a72047f"
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block;
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self';
Ignoring unknown HTTP response line ' script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line ' style-src 'self' 'unsafe-inline';'
HTTP body length: (259)
Logout successful

[arthepsy]

If You receive err: okta auth request failed. status code: 401, then You have simply entered invalid username or password.

That response is from Your OKTA via /api/v1/authn. You can try to request it manually (let's say via curl) and see why it responds with Authentication failed, for example, curl -vk 'https://okta/api/v1/authn' -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username": "yourusername", "password": "yourpassword'}

You need to get token from gp-okta.py, before calling openconnect, otherwise it won't work.

If You are sure that password is correct, then maybe You are in domain and username is something like DOMAIN/username, DOMAIN\username, or username@domain. If You are sure that everything is fine, then I would have to see more output from logs to comment ... enable debug=1 in config and re-re-run.

[ghost]

Looks like I need to setup an MFA profile

[ghost]

❯ ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
err: no factor url found

[arthepsy]

I think I know what's the issue. Currently, the script only supports google factor authentication. Maybe You are using different factor.

If You could add print(factors) in okta_mfa and check, it would be helpful.

[ghost]

[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
[{u'profile': {u'name': u"Nicholas's iPhone", u'keys': [{u'use': u'sig', u'x5c': [u'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAimFLrwmPxKCiaHy9maHy+6kyPSgLB8qAlMoX4MySLoofoFlnHnOxbJvQq2Lm9Ne0sV41MJ6s/F8eKlUeBh23ryqkmRKoyLlhF1huwAqxk+gCku1HgtTLPPZFNDOeL3rOxarlS3K3lhgCi/E9/ZaVJoiv0n4cl32C6rPMTt5HXZWW/yBShbQzEv1jLKo7LQRQR2wteBXdHBkMhktJ98IkNLuuZ1rduX6woYGl4MFbN3WrfB/0VppfiSoq9aQSg9amNPwbqaUHvhYhdSasTKNT8/PMVo7oh/xtXsi6feP5Fr1mw4+6XAKUQepXc1WOXZpQVa7JngV1gpAtdieyVrlqIQIDAQAB'], u'kty': u'PKIX', u'kid': u'default'}], u'credentialId': u'nmoore@.io', u'platform': u'IOS', u'version': u'12.0', u'deviceType': u'SmartPhone_IPhone'}, u'id': u'opf3fuweJyOBUYoEO355', u'factorType': u'push', u'_links': {u'verify': {u'href': u'https://.okta.com/api/v1/authn/factors/opf3fuweJyOBUYoEO355/verify', u'hints': {u'allow': [u'POST']}}}, u'provider': u'OKTA', u'vendorName': u'OKTA'}, {u'profile': {u'credentialId': u'nmoore@****.io'}, u'id': u'ost3g29h5gj7zf5rE355', u'factorType': u'token:software:totp', u'_links': {u'verify': {u'href': u'https://*****.okta.com/api/v1/authn/factors/ost3g29h5gj7zf5rE355/verify', u'hints': {u'allow': [u'POST']}}}, u'provider': u'OKTA', u'vendorName': u'OKTA'}]
err: no factor url found

[arthepsy]

Ok, so You are using OKTA factor, that's the issue. I have used only Google factor and that's what I implemented. I can try to change mine to OKTA factor and verify how it works.

P.S. do You know what's the difference between Google and OKTA factors?

[arthepsy]

Heh, it looks like it's completely the same... just a TOPT using OKTA application, not Google application. At least, from user experience. Will investigate a bit and update this issue.

[arthepsy]

So, @nicksmoore, I've implemented also OKTA TOTP support. Make sure to change .conf file accordingly, i.e, now there is totp.okta, totp.google, etc. and topt_secret is deprecated. Take a look at example config file. I tested with both with my account. If You have multiple totp factors added to OKTA account, then this script will prefer the one which is in configuration file.

By the way, to use TOTP, you will need pyotp. Make sure You have it installed.

[ghost]

thank you for adding this, I'm curious of the level of effort it would require to add okta verify push factor?

[arthepsy]

Can You verify that this works now (OKTA TOTP)?

I'm not sure, haven't used this... would it be useful for You? What's the user experience, i.e., what do You need to do for push factor?

[ghost]

I'm trying to obtain the base32 token but not quite sure how I don't see anywhere in the okta factor api calls.

https://developer.okta.com/docs/api/resources/factors

nimoore@C02PR08EG3QD   ~/pan-globalprotect-okta    master   ./gp-okta.py gp-okta.conf    594  22:45:45 
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
Traceback (most recent call last):
File "./gp-okta.py", line 334, in
main()
File "./gp-okta.py", line 321, in main
token = okta_auth(conf, s)
File "./gp-okta.py", line 175, in okta_auth
session_token = okta_mfa(conf, s, j)
File "./gp-okta.py", line 210, in okta_mfa
return okta_mfa_totp(conf, s, totp_factors, state_token)
File "./gp-okta.py", line 232, in okta_mfa_totp
code = totp.now()
File "/usr/local/lib/python2.7/site-packages/pyotp/totp.py", line 44, in now
return self.generate_otp(self.timecode(datetime.datetime.now()))
File "/usr/local/lib/python2.7/site-packages/pyotp/otp.py", line 33, in generate_otp
hasher = hmac.new(self.byte_secret(), self.int_to_bytestring(input), self.digest)
File "/usr/local/lib/python2.7/site-packages/pyotp/otp.py", line 50, in byte_secret
return base64.b32decode(self.secret, casefold=True)
File "/usr/local/Cellar/python@2/2.7.14_3/Frameworks/Python.framework/Versions/2.7/lib/python2.7/base64.py", line 229, in b32decode
raise TypeError('Non-base32 digit found')
TypeError: Non-base32 digit found

[ghost]

https://developer.okta.com/docs/api/resources/factor_admin

[ghost]

Just for some context, I used my API token which I knew wouldn't work but just to gen some output.

[arthepsy]

You probably entered wrong secret. You must use TOTP secret, not token, which is in format "ABCDEFGHIJKLMNOP". You can get it when creating 2FA, by scanning it with normal QR code reader or by backing up the OTP program (if it allows). I use andOTP and it allows such thing.

If You already have set up 2FA and don't know the OTP secret, You can reset it. Just did it for my colleage. He scanned QR code, wrote down the secret and then scanned it with normal OTP application.

[ghost]

Just wanted to provide an update I was able to retrieve the TOTP secret but currently running into an issue with activating the TOTP factor through the API... I'll provide another update once I resolve this.

[ghost]

I was able to extract the base32 secret and validate TOTP authentication through the Okta API, however when I run the script I'm still getting an authentication error. My suspicion here is that there is nothing in the conf file for the 6 digit passcode. When I authenticate through the API it must be in the body.

curl -X POST
https://omniex.okta.com/api/v1/users/00u3e0z12K0mMbHBq355/factors/ost1ea7aqOyvQBoTA356/verify
-H 'Accept: application/json'
-H 'Authorization: SSWS {API Token}'
-H 'Cache-Control: no-cache'
-H 'Content-Type: application/json'
-H 'Postman-Token: *****************'
-d '{
"passCode": "305824"
} '

https://0bin.net/paste/Nd4m0s77yaXnLdgx#TpbVhA45aOOqWOCTWqI3zA-aHkjP3cpZgqI20EkJPcd

[ghost]

These have been very helpful https://developer.okta.com/reference/postman_collections/

[ghost]

It may just be easier to add functionality for push factor?

[arthepsy]

@nicksmoore, I don't understand what are You trying to do.... If you know the TOTP secret, then my program will generate passcodes automatically and will make according API request. You just need to add TOTP secret in configuration file and that's it! Like, totp.okta=ABC....

Of course, there is no way to add passcode in configuration file, because passcode changes every 60 seconds. passcode on Your phone (and in this software) is being generated by TOTP secret + current date. That's how 2FA TOTP works.

I don't understand what You mean to achieve by "TOTP authentication through the Okta API". It is being done for You by this software! Can You explain what is Your goal? Can You provide output from this software, when You add TOTP secret? Previously You gave output with exception, which happened because You didn't specify TOPT secret, but token. What issues are You facing right now?

[ghost]

❯ echo "aZiNrRjRzDgbOUAdij9TL+WGKVMkqPdeqckey30RcpdU6n1flBB5CWkwA0nCNvssH018QiVY1dq/aNLulDEdIpTVPJuV6SlVNgbBj1sGffdd+2sKXSBIKGd5YsfOabhykp2Sxu/i+2Q8c+ndTYH9jHT4WHh3vQkKuHH746Dh9K7lHo64XK4txJlbxBuDM2WdugSmTn6q2Brg5tTFiJotmhPgM0di1Srjkj1l3IuDGQW14jM3ZJ5EsgjOL4GUkGnZOFX09GiO0VhQHSksDK9vPnTVaU6BF2g61E4e+EG6VkGYe5c2MViv6CZqz+N75fIGvHdb2lO3NEjod9PzrIjXng==" | openconnect --protocol=gp -u "nmoore@omniex.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin https://vpn-lax.omniex.io
Please enter your username and password
portal-userauthcookie:
fgets (stdin): Inappropriate ioctl for device

[arthepsy]

@nicksmoore where did Your comments went? I was curious about it not working on Mac, as I also have one, not just for daily usage. Would like to fix it, if this really is an issue.

Regarding Your latest issue, please, check README. I added it to known issues. Basically, You need to set bug.nl=0 to bug.nl=1 in Your configuration, until upstream openconnect fixes it. You can read up more about it in dlenski/openconnect#116 (comment)

P.S. there are a lot of new features (also that bug.nl), if You haven't pulled newest version; please do.

[ghost]

I believe the issue in the mac is I was running pyotp on version Python 2.7.14 (Mac) vs. Python 2.7.13 on Fedora.
http://blog.pinaxproject.com/2015/12/08/how-test-against-multiple-python-versions-parallel/

I will review the bug.nl issue later this evening.

[ghost]

Pulled down the newest version updated bug.nl

debug = 0
vpn_url = https://vpn-lax.****.io
okta_url = https://****.okta.com
username = nmoore
password = ******
totp.okta = *****
bug.nl = 1

❯ ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
[INFO] mfa okta totp request
[INFO] sessionToken: 20111cMmspNKDEktFcZZ1GY3CqNrG6K774_62Kosv-yVHw1ML63LLJf
[INFO] okta redirect request
[INFO] okta redirect form request
[INFO] saml-username: nmoore@****.io
[INFO] prelogin-cookie: EQMv20myDiKDpUruzsWzT5nwBa21NoVS6JgW1vwFuuGfRjf1hVdYvd+J3lDwNcQN
[INFO] getconfig request
[INFO] portal-userauthcookie: P8M2FO0coiNSor/zhFE7gI5P2j2SmqwuHijeJp10YcaiRrmMMa+dknxVOpfE3ljpqvPlKpv91hf7KvkPH22+H+8I9zELqX2th/qUICFx05NCteVagpAzJEDDx3vmLAY/+QVAEazW7g4zGKPY1Q+kBBoOVHBr44TYX5D5wzWxNli0s2Txzzmi6RvDO920EelJ4pVtPMBxXX/VHTD4XzB7Btj72QJxuG8aK34pDN/i2Z7a0JjlNMjjtx5aQStEu74AppPauMkDGcz4v8M15eDcKz2SEsAf0hazH4olA8ZLEQipDoWbe85uUgqbl8l11QHsRbvHbnLxNoBLw8jijI4awg==
Traceback (most recent call last):
File "./gp-okta.py", line 372, in
main()
File "./gp-okta.py", line 351, in main
cmd += ' --passwd-on-stdin ' + conf.get('openconnect_args') + ' "{1}"'
TypeError: cannot concatenate 'str' and 'NoneType' objects

[arthepsy]

@nicksmoore this was because openconnect_args was not defined (or commented out) and not left empty. I fixed it.

[ghost]

pan-globalprotect-okta git/master*  
❯ printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | openconnect --protocol=gp -u "nmoore@omniex.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.omniex.io"
Please enter your username and password
portal-userauthcookie: 
POST https://vpn-lax.omniex.io/global-protect/getconfig.esp
Connected to [2607:7700:0:15::454b:1492]:443
SSL negotiation with vpn-lax.omniex.io
Connected to HTTPS on vpn-lax.omniex.io
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
1 gateway servers available:
  GP-EXT (vpn-lax.omniex.io)
Please select GlobalProtect gateway.
GATEWAY: [GP-EXT]:GP-EXT
POST https://vpn-lax.omniex.io/ssl-vpn/login.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
GlobalProtect login returned authentication-source=Okta SAML
POST https://vpn-lax.omniex.io/ssl-vpn/getconfig.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1406 for ESP tunnel
POST https://vpn-lax.omniex.io/ssl-vpn/hipreportcheck.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
WARNING: Server asked us to submit HIP report with md5sum 2166bf50594d69cadcca9a24af8089fa.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Connected as 192.168.2.235, using SSL, with ESP in progress
Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See http://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed
Unknown error; exiting.
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  
❯ ping sm1-utilx001
ping: sm1-utilx001: Name or service not known
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  
❯ sudo printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | openconnect --protocol=gp -u "nmoore@omniex.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.omniex.io"
[sudo] password for nmoore: 
Please enter your username and password
portal-userauthcookie: 
POST https://vpn-lax.omniex.io/global-protect/getconfig.esp
Connected to [2607:7700:0:15::454b:1492]:443
SSL negotiation with vpn-lax.omniex.io
Connected to HTTPS on vpn-lax.omniex.io
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
1 gateway servers available:
  GP-EXT (vpn-lax.omniex.io)
Please select GlobalProtect gateway.
GATEWAY: [GP-EXT]:GP-EXT
POST https://vpn-lax.omniex.io/ssl-vpn/login.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
GlobalProtect login returned authentication-source=Okta SAML
POST https://vpn-lax.omniex.io/ssl-vpn/getconfig.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1406 for ESP tunnel
POST https://vpn-lax.omniex.io/ssl-vpn/hipreportcheck.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
WARNING: Server asked us to submit HIP report with md5sum 2166bf50594d69cadcca9a24af8089fa.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Connected as 192.168.2.236, using SSL, with ESP in progress
Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See http://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed
Unknown error; exiting.
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  6s
❯ ping sm1-utilx001
ping: sm1-utilx001: Name or service not known
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  
❯ openconnect --version
OpenConnect version v7.08-127-gf54cc9a5
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

[ghost]

❯ printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | sudo openconnect --protocol=gp -u "nmoore@****.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.***.io"
Unknown VPN protocol 'gp'

[ghost]

When I was running connect w/o 2FA I had to run as root, but for some reason when I do here I get gp uknown protocol

❯ sudo su root
[root@sm1-nmoore pan-globalprotect-okta]# printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | openconnect --protocol=gp -u "nmoore@****.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.***.io"
Unknown VPN protocol 'gp'

[ghost]

Running openconnect as root to GP-GW w/o 2FA does not produce the same error.

❯ sudo ./openconnect --protocol=gp vpn-ny5.***.io
[sudo] password for nmoore: 
Please enter your username and password
Username: nmoore
Password: 
POST https://vpn-ny5.omniex.io/ssl-vpn/login.esp
Connected to [2607:7700:0:15::8367:74c6]:443
SSL negotiation with vpn-ny5.omniex.io
Connected to HTTPS on vpn-ny5.omniex.io
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
GlobalProtect login returned authentication-source=Local_Auth
POST https://vpn-ny5.omniex.io/ssl-vpn/getconfig.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1406 for ESP tunnel
POST https://vpn-ny5.omniex.io/ssl-vpn/hipreportcheck.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Connected as 10.5.11.238, using SSL, with ESP in progress
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.

[arthepsy]

@nicksmoore because in one case You run openconnect (which is taken from PATH environment variable) and in other case You run ./openconnect (which is taken from current directory). Adjust openconnect_cmd in .conf file as You need, e.g., sudo ./openconnect and everything will be fine.

[ghost]

It's authenticated... I should have known as it was a permissions issue...

[arthepsy]

So everything is good, we can close the ticket?

[ghost]

please do, also please consider adding push factor 👍

[arthepsy]

ok, closing this issue and adding #6 for updates regarding push factor.