GlobalProtect-openconnect icon indicating copy to clipboard operation
GlobalProtect-openconnect copied to clipboard

Published 20 hours ago verified publisher icon yuezk

Integrate with NetworkManager

Open yuezk opened this issue 11 months ago • 4 comments

Sorry for taking so long to get back to you. There are two issues. Please let me know, if I should split these into two reports.

Firs issue regarding using Network Manager. Here is the log that I get when I try to connect using Network Manager.

POST https://ras.cf.ac.uk/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux Attempting to connect to server 131.251.255.229:443 Connected to 131.251.255.229:443 SSL negotiation with ras.cf.ac.uk Connected to HTTPS on ras.cf.ac.uk with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Mon, 19 Feb 2024 10:15:42 GMT Content-Type: application/xml; charset=UTF-8 Content-Length: 1544 Connection: keep-alive Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Set-Cookie: SESSID=6bf7bd7e-8dee-4848-b471-c69b7d0ca56e; Path=/; HttpOnly; Secure X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline'; HTTP body length: (1544) SAML REDIRECT authentication is required via https://login.microsoftonline.com/bdb74b30-9568-4856-bdbf-06759778fcbc/saml2?SAMLRequest=hVHLTsMwEPyVyPe8XOdlNZFCe6BSEVETOHBBjuO0FoldvA7i80lbEOVSjrs7O7MzuwQ2DkdaTvagduJ9EmCdz3FQQM%2BDHE1GUc1AAlVsFEAtp3X5sKXYC%2BjRaKu5HpBTAghjpVYrrWAahamF%2BZBcPO22OTpYewTq%2B4aBx3uPcW96o4Qs%2FBMRDvy68stVjZz1LC4VO9H8Lg16L5U3Sm406N5qNUglPK5Hv%2B3ahLSLwM2iOHVJGsXu3OrdIE6iLEnSnrfcP7nAyNmsc%2FSaxISxqI%2B7TGAiwrbr%2BqTDPEtZGnQxCWcYwCQ2CixTNkc4wMQNsBtmTRjQMKIEvyCn%2BjZ9J1Un1f52Qu0FBPS%2BaSq3eqwb5DwLA2eLMwAVy9OF9CxsrpK%2FTct%2B4kbF%2F%2BEu%2FSuJ4lL9%2FXjxBQ%3D%3D&RelayState=6OEFAKUOnWU2YmY3YmQ3ZS04ZGVlLTQ4NDgtYjQ3MS1jNjliN2QwY2E1NmU%3D When SAML authentication is complete, specify destination form field by appending :field_name to login URL. Failed to parse XML server response Response was: <?xml version="1.0" encoding="UTF-8" ?> <prelogin-response> <status>Success</status> <ccusername></ccusername> <autosubmit>false</autosubmit> <msg></msg> <newmsg></newmsg> <license>yes</license> <authentication-message>Enter login credentials</authentication-message> <username-label>Username</username-label> <password-label>Password</password-label> <panos-version>1</panos-version> <saml-default-browser>yes</saml-default-browser> <cas-auth></cas-auth> <saml-auth-status>0</saml-auth-status> <saml-auth-method>REDIRECT</saml-auth-method> <saml-request-timeout>600</saml-request-timeout> <saml-request-id>0</saml-request-id> <saml-request>aHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tL2JkYjc0YjMwLTk1NjgtNDg1Ni1iZGJmLTA2NzU5Nzc4ZmNiYy9zYW1sMj9TQU1MUmVxdWVzdD1oVkhMVHNNd0VQeVZ5UGU4WE9kbE5aRkNlNkJTRVZFVE9IQkJqdU8wRm9sZHZBN2k4MGxiRU9WU2pyczdPN016dXdRMkRrZGFUdmFnZHVKOUVtQ2R6M0ZRUU0lMkJESEUxR1VjMUFBbFZzRkVBdHAzWDVzS1hZQyUyQmpSYUt1NUhwQlRBZ2hqcFZZcnJXQWFoYW1GJTJCWkJjUE8yMk9UcFlld1RxJTJCNGFCeDN1UGNXOTZvNFFzJTJGQk1SRHZ5NjhzdFZqWnoxTEM0Vk85SDhMZzE2TDVVM1NtNDA2TjVxTlVnbFBLNUh2JTJCM2FoTFNMd00yaU9IVkpHc1h1M09yZElFNmlMRW5TbnJmY1A3bkF5Tm1zYyUyRlNheElTeHFJJTJCN1RHQWl3cmJyJTJCcVREUEV0WkduUXhDV2NZd0NRMkNpeFROa2M0d01RTnNCdG1UUmpRTUtJRXZ5Q24lMkJqWjlKMVVuMWY1MlF1MEZCUFMlMkJhU3EzZXF3YjVEd0xBMmVMTXdBVnk5T0Y5Q3hzcnBLJTJGVGN0JTJCNGtiRiUyRiUyQkV1JTJGU3VKNGxMOSUyRlhqeEJRJTNEJTNEJlJlbGF5U3RhdGU9Nk9FRkFLVU9uV1UyWW1ZM1ltUTNaUzA0WkdWbExUUTRORGd0WWpRM01TMWpOamxpTjJRd1kyRTFObVUlM0Q=</saml-request> <auth-api>no</auth-api><region>GB</region> </prelogin-response>

Network Manager does not manage to open a browser window for MFA. So I'm guessing that the relevant display variables are not being passed on. Is there a way to include these in Network Manager?

Originally posted by @gonneman in https://github.com/yuezk/GlobalProtect-openconnect/issues/316#issuecomment-1952150297

yuezk avatar Mar 11 '24 05:03 yuezk

Not sure whether it is related to the DISPLAY variable.

In 1.x, I was planning to integrate with NetworkManager. Also tried to understand the code of https://gitlab.gnome.org/GNOME/NetworkManager-openconnect. As I remember, openconnect provides some hooks that the NetworkManager-openconnect can implement to customize the authenticator.

yuezk avatar Mar 11 '24 06:03 yuezk

Is there any information that I can provide that would help with this?

gonneman avatar Mar 11 '24 14:03 gonneman

Currently, I'm not planning to integrate with NetworkManager in 2.x, and I'm not familiar with the NetworkManager-openconnect project. You should raise an issue there to see if they could provide help.

yuezk avatar Mar 12 '24 13:03 yuezk

To connect with NetworkManager actually is not that hard, I managed to create this script that automatically do all the necessary steps to connect to a GP VPN using openconnect and NetworkManager(nmcli), I think you can integrate that into your application and have an option like "Connect using NetworkManager", so the users can choose if connect directly just using plain openconnect or manage their connections using NetworkManager

ahsand97 avatar Mar 20 '24 17:03 ahsand97