Thank you for the response and tip. I tried as you said - running it with --dump using a user agent and without as there appears to be different requirements/rules depending on the device type- the results are below: ________________________________________________________________________________ With a Mobile UserAgent: dhrmbp1:~ dh$ openconnect --juniper --useragent 'JunosPulseiPhone Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 JunosPulse(Version-3.2.2.21349)iPhone' --csd-wrapper=tncc-wrapper.py --dump vpn.mycompany.com/mycompany WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://vpn.mycompany.com/mycompany Attempting to connect to server 65.210.57.16:443 Connected to 65.210.57.16:443 SSL negotiation with vpn.mycompany.com Connected to HTTPS on vpn.mycompany.com > GET /mycompany HTTP/1.1 > Host: vpn.mycompany.com > User-Agent: JunosPulseiPhone Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 JunosPulse(Version-3.2.2.21349)iPhone > Connection: close > NCP-Version: 3 > Got HTTP response: HTTP/1.1 302 Found Location: https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi Content-Type: text/html; charset=utf-8 Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure Set-Cookie: DSSignInURL=/mycompany; path=/; secure Connection: close Content-Length: 0 HTTP body length: (0) GET https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi SSL negotiation with vpn.mycompany.com Connected to HTTPS on vpn.mycompany.com > GET /dana-na/auth/url_default/welcome.cgi HTTP/1.1 > Host: vpn.mycompany.com > User-Agent: JunosPulseiPhone Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9B206 JunosPulse(Version-3.2.2.21349)iPhone > Cookie: DSSIGNIN=url_default; DSSignInURL=/mycompany > Connection: close > NCP-Version: 3 > Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: DSCheckBrowser=; path=/; expires=Sat, 27-Jan-2007 19:57:58 GMT; secure Set-Cookie: DSPREAUTH=592a86ac%3AxrGHWPieAgABAAAAocszTLLg%2B11ic1XMpqoG6PAPgy47Untj5pYv%2BijnNUxzb1APVPhG6a7kFQUp8kc6ULtZXpyBkTyalepHwrqe70hZNJGp2cKX0ahkf5oW%2BRyxaNbvENdzcxJdKu27Dtmub9CoqoFY1%2BBBpdScgLv8ZAAiYwRsQISaKGPEYOk4oSUDRoHwIFDrhn1p5dxA9QWUuN3oxdrGmSPTmr5HMhKJyOl%2BBVJO%2B2NaA7zofTpelJz1W5OsKRAMfIDqsqQeZtgMofagWm7tPEcdPdNxR%2FWvxQlyY7ITrCGwE0xrclPt0E4R2QdcBIOgmEiup2G6ii6rovUfX%2BqxG0aYx3Z9Z0U2WLfVBeUeMrxsegvybc1ebQoIDuLIclxxasKxyOtxZcVa; path=/dana-na/; expires=Wed, 24-Jan-2018 14:57:58 GMT; secure Set-Cookie: DSHCSTARTED=1; path=/dana-na/; secure Date: Tue, 24 Jan 2017 19:57:58 GMT Connection: close Pragma: no-cache Cache-Control: no-store Expires: -1 X-Frame-Options: SAMEORIGIN HTTP body http 1.0 (-1) SSL socket closed uncleanly < <html><head> < <meta http-equiv="Content-Language"/> < <meta http-equiv="Content-Type" content="text/html"/> < <meta name=robots content="none"/> < <title>mycompany Secure Access Service - PleaseWait</title> < < <link href="/dana-na/css/ds_mobile_common_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.css" type="text/css" rel="stylesheet"/> < <link href="/dana-na/css/ds_mobile_safari_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.css" type="text/css" rel="stylesheet"/> < <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"/> < <meta name="format-detection" content="telephone=no"/> < < <script type="text/javascript">function hideUrlBar() { < // Hides URL Bar on the iPhone < var minHeight = 0; < < if (window.innerHeight) { < minHeight = window.innerHeight + 60; < } < document.body.style.minHeight = minHeight + 'px'; < document.getElementById('main_div').style.minHeight = minHeight + 'px'; < < setTimeout(function() < { < window.scrollTo(0,1); < }, 100); < } < < addEventListener("load", function() { setTimeout(hideUrlBar, 0); }, false); < function textFieldGetFocus(field) { < document.getElementById(field).focus(); < } < </script> < < </head> < < < <script language="JavaScript"> < var userAgentTypeApple = "1"; < var userAgentTypeAndroid = ""; < function OnStart() < { < if(userAgentTypeApple == "1") { < window.location = "IVEAction://startHC"; < Browser.redirect("IVEAction://startHC"); < } < else if(userAgentTypeAndroid == "1"){ < HTMLOUT.showHTML("my APP"); < } < else { < document.cookie = "DSCheckBrowser=" + escape('none') + "; path=/;secure"; < var href = window.location.href; < window.location = href; < } < } < </script> < < <body onload="OnStart();"><table id="table_PleaseWait-mobile-webkit_1" border="0" cellpadding="10" cellspacing="0"> < <tr><td><small><b>Loading Components...</b></small></td></tr> < </table> < < <table id="table_PleaseWait-mobile-webkit_2" cellpadding="2" cellspacing="0" border="0" width="100%"> < <tr> < <td> </td> < <td width="100%"><span><div id="hc">Host Checker</div></span></td> < </tr> < </table></body> < < <input id="serverdetails_1" type="hidden" name="serverdetails" value="interval=0;process_timeout=90;cert_md5=1f9ab4221d578a51b6c73b93c06149fe;hash_key=06f23f73c64c6df8a8a64ecbe431b75d166d46d1;logging=1;locale=en"> < </html> < Failed to obtain WebVPN cookie ________________________________________________________________________________ With No UserAgent: openconnect --juniper --dump --csd-wrapper=tncc-wrapper.py vpn.mycompany.com/mycompany WARNING: Juniper Network Connect support is experimental. It will probably be superseded by Junos Pulse support. GET https://vpn.mycompany.com/mycompany Attempting to connect to server 65.210.57.16:443 Connected to 65.210.57.16:443 SSL negotiation with vpn.mycompany.com Connected to HTTPS on vpn.mycompany.com > GET /mycompany HTTP/1.1 > Host: vpn.mycompany.com > User-Agent: Open AnyConnect VPN Agent v7.08 > Connection: close > NCP-Version: 3 > Got HTTP response: HTTP/1.1 302 Found Location: https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi Content-Type: text/html; charset=utf-8 Set-Cookie: DSSIGNIN=url_default; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure Set-Cookie: DSSignInURL=/mycompany; path=/; secure Connection: close Content-Length: 0 HTTP body length: (0) GET https://vpn.mycompany.com/dana-na/auth/url_default/welcome.cgi SSL negotiation with vpn.mycompany.com Connected to HTTPS on vpn.mycompany.com > GET /dana-na/auth/url_default/welcome.cgi HTTP/1.1 > Host: vpn.mycompany.com > User-Agent: Open AnyConnect VPN Agent v7.08 > Cookie: DSSIGNIN=url_default; DSSignInURL=/mycompany > Connection: close > NCP-Version: 3 > Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: DSHCSTARTED=1; path=/dana-na/; secure Date: Tue, 24 Jan 2017 20:05:18 GMT Connection: close Pragma: no-cache Cache-Control: no-store Expires: -1 X-Frame-Options: SAMEORIGIN HTTP body http 1.0 (-1) SSL socket closed uncleanly < < <html> < <head> < <meta http-equiv="Content-Language"> < <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> < <title>mycompany Secure Access Service - PleaseWait</title> < <script src="/dana-na/css/ds_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script> < <meta name="robots" content="none"> < <script> < WriteCSS(); < </script> < <noscript> < <link rel="stylesheet" href="/dana-na/css/ds_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.css"></link> < </noscript> < <script src="/dana-na/js/checkbrowser_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script> < <script src="/dana-na/js/clientSetup_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script><script src="/dana-na/js/intermediate_18dbed3d1620b09fa1f569d8686f36286e503cfa396ed1b07cf35ae4b7454281.js"></script> < <script> < < var error_message = ''; < var start_status = 1; < var check_browser = new CheckBrowser(); < var g_delivery = ''; < var g_checkbCookieSet = false; < var g_HCLoading = 'Host Checker'; < var g_isUAC = '0'; < < function initBulb (component) < { < document.getElementById(component + 'bulb').style.color = "#808080"; < } < < function setSucceeded(component) < { < document.getElementById(component + 'bulb').style.color = "#03CA08"; < setStatus(1); < } < < function setFailed(component) < { < document.getElementById(component + 'bulb').style.color = "#990000"; < setStatus(0); < } < < function setStarted(component) < { < document.getElementById(component).style.fontWeight = "bold"; < } < < function setFinished(component) < { < document.getElementById(component).style.fontWeight = "normal"; < } < function gowelcome() < { < if (g_delivery != '') { < setCheckBrowserCookie (); < } < if (getStatus()) { < document.getElementById('endstatus').innerHTML = 'Components loaded successfully'; < var url = window.location; < if (dsIsVista() || dsIsWinXP()) { < try { < var SetupCtrl; < if (document.deliveryType == 'java') { < var doc = getIFrameDocument("controlframe"); < if (typeof(doc) == "undefined") { < return false; < } < SetupCtrl = doc.getElementById("NeoterisSetup"); < } < else if (document.deliveryType == 'activex') { < SetupCtrl = document.getElementById("NeoterisSetup"); < } < if (SetupCtrl != "undefined") { < var data = SetupCtrl.retrieveData("HCDATA"); < if (data && data.indexOf("AED={") != -1) { < // AED getting initialised < var aedParams = aedParseProgressString (data); < var aedInitComplete = 0; < if (aedParams.statusInitialization == gAedProgress.SUCCESS ||aedParams.statusInitialization==gAedProgress.FAIL) { < if (aedParseParam(data, 'HSStatus:')) { < aedInitComplete = 1; < } < } < if (!aedInitComplete) { < if (url.toString().indexOf('?') == -1) { < url += "?type=inter"; < } < else { < url += "&type=inter"; < } < } < } < } < } < catch (e) { < } < } < window.location = url; < } < else { < document.getElementById('endstatus').innerHTML = error_message; < setTimeout("window.location = window.location;", 5000); < } < } < < function setCCSucceeded() < { < setSucceeded('cc'); < } < function setHCSucceeded() < { < setSucceeded('hc'); < } < < function getComponent(component) < { < return document.getElementById(component + 'bulb'); < } < < function failComponents() < { < if (getComponent('hc')) setFailed('hc'); < if (getComponent('cc')) setFailed('cc'); < if (getComponent('ep')) setFailed('ep'); < } < < function setStatus(s) < { < start_status = s; < } < function getStatus() < { < return start_status; < } < function setErrorMessage(aMsg) < { < error_message = aMsg; < } < < function loadIframe(iframeName, url) { < var doc = getIFrameDocument(iframeName); < if (typeof(doc) == "undefined") { < return false; < } < doc.location.href = url; < return true; < } < < function getIFrameDocument(iframeName) { < var fr; < var frWindow; < var frDocument; < if ( window.frames && window.frames[iframeName] ) { < frWindow = window.frames[iframeName]; < }else if (document.getElementById(iframeName) ) { < frWindow = document.getElementById(iframeName).contentWindow; < }else { < return ; < } < < fr = document.getElementById(iframeName); < if (frWindow && frWindow.document) < frDocument = frWindow.document; < else if (fr && fr.contentDocument) < frDocument = fr.contentDocument; < < return frDocument; < } < < function checkb() { < g_delivery = 'none'; g_delivery = 'none'; < if (dsIsActiveXEnabled()){ < g_delivery = 'activex'; < }else if (dsIsJavaEnabled()) { < g_delivery = 'java'; < } document.deliveryType = g_delivery; < return g_delivery; < } < < // Redirect to CGI to download the Setup Client .exe < function redirectToSetupCGI() { < var href = window.location.href; < var redirectURL = "/dana-na/setup/download.cgi?r=" + escape(href); < if (dsIsMac()) { < redirectURL = redirectURL + "&platform=Macintosh"; < } < window.location = redirectURL; < } < < function loadControlFrame() < { < try { < loadIframe ('controlframe', window.location); < } catch (e) { < failComponents(); < setTimeout("gowelcome();", 0); < } < } < < function setCheckBrowserCookie () { < if (g_checkbCookieSet == false) { < document.cookie = "DSCheckBrowser=" + escape(g_delivery) + "; path=/;secure"; < g_checkbCookieSet = true; < } < } < < function submitBrowserInfo() { < setCheckBrowserCookie (); < if (g_delivery == 'none') { < setErrorMessage ('Your browser does not support either ActiveX controls or Java applets. Please contact your administrator.'); < failComponents (); < gowelcome(); < } else { < loadControlFrame(); < } < } < < function startOnLoad() < { < var c = checkb(); < if ((c == 'none') && (dsIsVista() || dsIsWinXP() || dsIsMac())) { < failComponents (); < setTimeout("redirectToSetupCGI();", 7000); < return; < } < setTimeout ("submitBrowserInfo();", 2000);} < </script> < < < < <script> < <!-- < if (window.top != self) { < top.location = location; < } < //--></script> < </head> < < <body bgcolor="#FFFFFF" color="#000000" link="#3366CC" vlink="#CC6699" alink="#3366CC" leftmargin="0" topmargin="0" rightmargin="0" marginwidth="0" marginheight="0" onload="startOnLoad()" > < < < <table id="table_PleaseWait_1" border="0" width="100%" cellspacing="0" cellpadding="3"> < <tr> < <td bgcolor="E3E3E3"><img border="0" src="/dana-na/auth/welcome.cgi?p=logo" alt="Logo"></td> < <td bgcolor="E3E3E3" align="right"> </td> < < </tr> < </table> < <table id="table_PleaseWait_2" cellpadding="0" cellspacing="0" border="0" width="100%"> < <tr> < <td bgcolor="#000000" colspan="2"><img border="0" src="/dana-na/imgs/space.gif" width="1" height="1"></td> < </tr> < </table> < <blockquote> < <table id="table_PleaseWait_3" border="0" cellpadding="2" cellspacing="0"> < <tr><td nowrap ><font face="verdana,sans-serif" size="3"><b>Loading Components...</b></font></td></tr> < <tr><td nowrap ><font face="verdana,sans-serif" size="2">Please wait. This may take several minutes.</font></td></tr> < </table> < < <table id="table_PleaseWait_4" cellpadding="4" cellspacing="0" border="0" width="100%"> <tr> < <td><img src="/dana-na/imgs/space.gif" width="30" height="1"></td> < <td><span style="font-weight:bold; color:#808080; font-size:135%;" id="hcbulb">•</span></td> < <td width="100%"><span><div id="hc">Host Checker</div></span></td> < </tr> <tr> < <td> </td> < <td> </td> < <tr> < <table id="table_PleaseWait_5" border="0" cellpadding="2" cellspacing="0"> < <tr><td nowrap ><font face="verdana,sans-serif" size="2"> < <div id="continue">If an error prevents a component from loading properly, you can <a href="javascript:void(0)" onclick="javascript:gowelcome();return false;">click here</a> to continue. Not all functionality may be available. </div></font></td></tr> < </table> < </tr> < <tr> < <td><img src="/dana-na/imgs/space.gif" width="30" height="1"></td> < </tr> < <tr> < <td><img src="/dana-na/imgs/space.gif" width="30" height="1"></td> < </tr> < <table id="table_PleaseWait_6" border="0" cellpadding="2" cellspacing="0"> < <tr><td nowrap ><font face="verdana,sans-serif" size="2"><div id="endstatus"></div></font></td></tr> < </table> < </table> < </blockquote> < <OBJECT classid="clsid:F27237D7-93C8-44C2-AC6E-D6057B9A918F" < id=NeoterisSetup codebase="\dana-cached\sc\JuniperSetupClient.cab#version=2,1,1,1" < width=0 height=0 > < </object><p align="left"><iframe id="controlframe" name="controlframe" src="/dana-na/html/blank.html" width="2" height="2" frameborder="0" scrolling="NO"></iframe></p> < < </body> < < </html> No DSPREAUTH cookie; not attempting TNCC Failed to obtain WebVPN cookie Dustin L Hartung On Tue, Jan 24, 2017 at 1:12 PM, Daniel Lenski <dlenski at gmail.com> wrote: > On Tue, Jan 24, 2017 at 9:28 AM, Dustin Hartung > <dustin.hartung at gmail.com> wrote: >> I am trying to use openconnect on my Mac to connect to a Junos vpn. >> Below is my command and the response i am getting. I am not sure >> where to go from here. I downloaded generic tncc-wrapper.py from >> Github. Does it need to be modified? > > Are you sure that TNCC is the problem here? > > You should run with --dump to show all the HTTP traffic that > openconnect is sending and receiving. OC is probably getting hung up > on an authentication form that it doesn't understand. OC's Juniper > auth support is necessarily incomplete, because Juniper authentication > consists of totally free-form web pages. > > Logging should make this clear. > > Dan
