GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
yuezk
Usage in WSL?
Hi, first of all, thank you for your efforts in this project!
Okay I understand my usecase is very rare. I have a WIndows on ARM device, and the official GP client doesn't support Win on ARM. So I'm trying with WSL like when every time the Win on ARM stuck.
I use wslu for the virtual browser in the WSL which auto port forward to Chrome in my main system. With `sudo -E gpclient --fix-openssl connect --browser wslview
But it hangs there.
F12 gives following error: ACS:1 Failed to launch 'globalprotectcallback: *********' because the scheme does not have a registered handler.
So I guess it is attempting to launch GP in the main system (Windows) which doesn't exist. In this case, is there any way to perform the authentication on port-forwarded browser outside and send the callback back to WSL?
(I understand just install gnome in WSL can get rid of this trouble, but gnome is not an option for my outdated device)
Update:
I noticed #463 and #431 , so I tried with their workaround, opening a new bash and
echo -n "globalprotectcallback:*******" | nc 127.0.0.1 40353
The CLI tool proceed to the following:
[2025-01-26T06:41:43Z INFO gpclient::cli] gpclient started: 2.3.11 (2025-01-21)
[2025-01-26T06:41:43Z INFO gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-01-26T06:41:43Z INFO gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect
[2025-01-26T06:41:44Z INFO gpauth::cli] gpauth started: 2.3.11 (2025-01-21)
[2025-01-26T06:41:44Z INFO gpauth::cli] Fixing OpenSSL environment
[2025-01-26T06:41:44Z INFO gpapi::process::browser_authenticator] Launching browser: wslview
[2025-01-26T06:41:44Z INFO gpauth::cli] Please continue the authentication process in the default browser
[2025-01-26T06:41:44Z INFO gpauth::cli] Listening authentication data on port 40353
[2025-01-26T06:41:44Z INFO gpauth::cli] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2025-01-26T06:41:53Z INFO gpauth::cli] Received the browser authentication data from the socket
[2025-01-26T06:41:55Z INFO gpauth::cli] Authentication completed
[2025-01-26T06:41:55Z INFO gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2025-01-26T06:41:55Z WARN gpapi::portal::config] GP response error: reason=auth-failed, status=512 <unknown status code>, body=<empty>
The base64 string decodes to <html><!-- <saml-auth-status>1</saml-auth-status> so the authentication should have no problem I guess?
The expected globalprotectcallback payload should have the cookie field. It could be a problem if its content is just <html><!-- <saml-auth-status>1</saml-auth-status>.
The expected
globalprotectcallbackpayload should have the cookie field. It could be a problem if its content is just<html><!-- <saml-auth-status>1</saml-auth-status>.
Sorry I didn't make it clear. The decoded content is:
<html><!-- <saml-auth-status>1</saml-auth-status><prelogin-cookie>2nryI3qnx/FZ04yT0FNs9xY0x8bQdd1gu8Rf2LuZur1JovrLncUsmJqST3xLvz13</prelogin-cookie><saml-username>EMAIL@ADDRESS</saml-username><saml-slo>yes</saml-slo><saml-SessionNotOnOrAfter></saml-SessionNotOnOrAfter> --></html>
Try running it with the --as-gateway parameter, e.g., gpclient connect <portal> --as-gateway, see what happens.
Ok it now gives a more detailed error msg:
[2025-01-26T10:35:59Z WARN gpapi::gateway::login] GP response error: reason=
Error: Gateway login error:
Strange thing. My login go through a organization login with 2FA (Microsoft sharepoint one). The email address in the
Looks not related to the --as-gateway parameter. Have you ever tried it on a Linux machine?
I just tried on a ec2 VM, port forward and open with a different browser, and it gives same error. I start to feel like this is a problem with my organization's auth service.
Thank you for your kind help anyway!