Hi Gernot, On Tue, Jan 23, 2018 at 7:42 AM, Gernot Hillier <gernot.hillier at siemens.com> wrote: > Hi there! > > James Ralston wrote: > > > Does anyone have any advice or tips for getting openconnect to > > navigate through a pre sign-in notification? > > > > We are legally required to use a pre sign-in notification for our > > Pulse VPN service: > > > > https://corliss.sei.cmu.edu/ > > > > Unfortunately, openconnect doesn't seem to understand how to > > navigate through the pre sign-in notification. Attempting to > > connect to the Pulse VPN service yields this error message: > > > > Failed to find or parse web form in login page > > We have a somehow similar issue here where Smartcard auth is not > done by the Pulse gateway, but some other Siemens-service which > means OpenConnect needs to dive through three additional forms. For > now, I use something like this: > > @@ -657,6 +665,14 @@ int oncp_obtain_cookie(struct openconnect_info > *vpninfo) > ret = -EINVAL; > break; > } > + } else if (!strcmp(form_id, "login_PKI") || > + !strcmp(form_id, "MessageAccept") || > + !strcmp(form_id, "gaform")) { > + form = parse_form_node(vpninfo, node, "btnSubmit"); > + if (!form) { > + ret = -EINVAL; > + break; > + } > > Plus deactivation of some sanity checks in handle_redirect() and > process_auth_form_cb(). Yeah, that's what I was afraid of: the only way to get past the disclaimer form is to patch openconnect to recognize it, alas. > However, further HTML parsing in OpenConnect feels like the wrong > solution, and http://www.infradead.org/openconnect/juniper.html > seems to suggest other solutions ("full compatibility may require > actually using a web browser to log in"). > > So we're thinking about implementing something similar like > juniper-vpn.py from https://github.com/russdill/juniper-vpn-py which > does our company-specific auth dance and then just calls openconnect > with the DSID cookie... The problem with this approach is that it necessitates calling openconnect by hand. We'd prefer to avoid that, because adding a new VPN connection within NetworkManager is what our users (and most Linux users, I suspect) are used to. And unfortunately, NetworkManager doesn't know how to configure a VPN interface that calls openconnect with a custom authentication piece. Not to mention we'd still need to patch juniper-vpn-py to understand how to click through the disclaimer. > That said, finding a working PKCS#11 solution for Python turned out > to be a non-trivial task... Indeed, it's been our experience that most user-contributed libraries tend not to offer diverse authentication support, because the developers of said libraries don't use anything beyond simple username/password authentication. Anyway, thanks for confirming that others have run into the same issue.
