GlobalProtect-openconnect
GlobalProtect-openconnect copied to clipboard
yuezk
How to pass client certificate?
Hi @yuezk ,
Thank you for this wonderful application! I know that I'm able to pass custom configuration parameters via the GUI and know that there is --certificate=... parameter. However I can't seem to make it work. When I pass this parameter, I don't see any clues whether it's passed or not within the logs. Should I pass other parameters as well? Could you please provide me an example list of configuration parameters so that I can login with a certificate without having to type in SAML credentials?
Actually, any parameter of the openconnect cli can be passed.
You can view the log file locate at ~/.cache/GlobalProtect-openconnect/gpclient.log to see the final parameters passed to the openconnect cli.
Unfortunetely I don't see anything related to openconnect itself. Rather, I see the following output:
2021-09-16 22:28:41.070 INFO [68361] [main@22] GlobalProtect started, version: v1.3.2
2021-09-16 22:28:41.209 INFO [68361] [GPClient::populateGatewayMenu@140] Populating the Switch Gateway menu...
2021-09-16 22:28:45.781 INFO [68361] [GPClient::populateGatewayMenu@140] Populating the Switch Gateway menu...
2021-09-16 22:29:56.704 INFO [68361] [GPClient::doConnect@245] Start connecting...
2021-09-16 22:29:56.704 INFO [68361] [GPClient::doConnect@261] Start gateway login using the previously saved gateway...
2021-09-16 22:29:56.704 INFO [68361] [GPClient::gatewayLogin@356] Performing gateway login...
2021-09-16 22:29:56.710 INFO [68361] [GatewayAuthenticator::authenticate@30] Start gateway authentication...
2021-09-16 22:29:56.711 INFO [68361] [GatewayAuthenticator::login@46] Trying to login the gateway at https://vpn.myvpn.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=comp123&ok=Login&direct=yes&clientVer=4100&os-version=Pop%21_OS 21.04&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=&clientos=Linux
2021-09-16 22:29:57.138 ERROR [68361] [GatewayAuthenticator::onLoginFinished@58] Failed to login the gateway at https://vpn.myvpn.com/ssl-vpn/login.esp, Error transferring https://vpn.myvpn.com/ssl-vpn/login.esp - server replied: Custom error
2021-09-16 22:29:57.138 INFO [68361] [GatewayAuthenticator::doAuth@79] Perform the gateway prelogin at https://vpn.myvpn.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-09-16 22:29:57.186 INFO [68361] [GatewayAuthenticator::onPreloginFinished@96] Gateway prelogin succeeded.
2021-09-16 22:29:57.186 INFO [68361] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-09-16 22:29:57.186 INFO [68361] [GatewayAuthenticator::samlAuth@154] Trying to perform SAML login with saml-method POST
2021-09-16 22:29:57.319 INFO [68361] [SAMLLoginWindow::onResponseReceived@64] Response received from data:text/html;charset=UTF-8,%3Chtml%3E%0A%3Cbody%3E%0A%3Cform%20id%3D%22myform%22%20method%3D%22POST%22%20action%3D%22https%3A%2F%2Fxxx.myvpn.com%2FSAAS%2Fauth%2Ffederation%2Fsso%22%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22SAMLRequest%22%20value%3D%22SAML_PAYLOAD_HERE%3D%22%20%2F%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22RelayState%22%20value%3D%22DcgjAHCXDWA5NDI3NjE5NDQxMWFmOTdlOTc3ZTdmZmRlYzkxODQ0YQ%3D%3D%22%20%2F%3E%0A%3C%2Fform%3E%0A%3Cscript%3E%0A%20%20document.getElementById%28%27myform%27%29.submit%28%29%3B%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0D%0A
2021-09-16 22:29:57.329 INFO [68361] [SAMLLoginWindow::onLoadFinished@98] Load finished https://vpn.myvpn.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-09-16 22:29:58.692 INFO [68361] [SAMLLoginWindow::onResponseReceived@64] Response received from https://xxx.myvpn.com:7443/cas/t/MGMT01/API/1.0/REST/landing?EAB_CALLBACK_URL=%2Fauth%2Flogin%2Fembeddedauthbroker%2Fcallback%3FhorizonRelayState%3D7d37fae6-6e0e-4c02-8dca-6b0cd624c10a&requestTimeout=0
2021-09-16 22:29:58.873 INFO [68361] [SAMLLoginWindow::onLoadFinished@98] Load finished https://xxx.myvpn.com:7443/cas/t/MGMT01/API/1.0/REST/landing?EAB_CALLBACK_URL=%2Fauth%2Flogin%2Fembeddedauthbroker%2Fcallback%3FhorizonRelayState%3D7d37fae6-6e0e-4c02-8dca-6b0cd624c10a&requestTimeout=0
2021-09-16 22:30:00.487 INFO [68361] [SAMLLoginWindow::onResponseReceived@64] Response received from https://xxx.myvpn.com/SAAS/t/MGMT01/auth/login/embeddedauthbroker/callback?requestTimeout=0&horizonRelayState=7d37fae6-6e0e-4c02-8dca-6b0cd624c10a
2021-09-16 22:30:01.004 INFO [68361] [SAMLLoginWindow::onLoadFinished@98] Load finished https://xxx.myvpn.com/SAAS/t/MGMT01/auth/login/embeddedauthbroker/callback?requestTimeout=0&horizonRelayState=7d37fae6-6e0e-4c02-8dca-6b0cd624c10a
Can you connect to the VPN server without the certificate parameter?
Bellow is the parameter logged when connecting to the VPN server. The custom parameters will be inserted into the command parameters if you configured them.
2021-09-17 22:11:56.003 INFO [13368] [GPClient::onVPNLogAvailable@489] Start process with arugments: --protocol=gp -u [email protected] -C authcookie=xxxxxb2dae80b3c724855180bd815d157&portal=Gateway-N&user=xxx&domain=corp.xxx.com&preferred-ip=&computer=vm-VirtualBox vpn.xxx.com
Can you connect to the VPN server without the certificate parameter?
Yes I can. It asks for my SAML credentials.