Our site uses the Juniper Pulse VPN, configured with a pre-auth banner
you must click through, requiring the host checker, requiring Duo MFA,
and using profiles.
Has anyone come up with a combination of openconnect and helper
utilities that will satisfy *all* of these dependencies?
The best I have been able to come up with relies on the juniper-vpn-py
helper scripts:
https://github.com/russdill/juniper-vpn-py/
Specifically, I run it like this:
$ ./juniper-vpn.py --host vpn.example.org --username myusername
--pass 123 --stdin DSID=%DSID% openconnect --juniper %HOST%
--cookie-on-stdin
The argument to --pass is the first 3 digits of the one-time passcode
I get from the Duo Mobile app; I used “123” as an example.)
When I run this, juniper-vpn.py first asks me for my password, and
then it asks for the secondary password (which is where I enter the
final 3 digits of the one-time passcode).
It’s convoluted, but it works, albeit with no DTLS support:
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-type: text/html; charset=utf-8
header: Set-Cookie: DSLastAccess=1547265626; path=/; Secure
header: Connection: close
header: Pragma: no-cache
header: Cache-Control: no-store
header: Expires: -1
header: X-Frame-Options: SAMEORIGIN
header: Strict-Transport-Security: max-age=31536000;
includeSubDomains; preload
WARNING: Juniper Network Connect support is experimental.
It will probably be superseded by Junos Pulse support.
Connected to 1.2.3.4:443
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org
Set up UDP failed; using SSL instead
Connected as 5.6.7.8, using SSL, with ESP disabled
The only problem is, now we are using profiles, which means that if I
connect to this profile:
https://vpn.example.org/admin
I will get more network access than if I just connect to:
https://vpn.example.org/
But I don’t see any way to specify profiles to either juniper-vpn.py
or to openconnect itself.
I filed a Github issue to see if there is any way I could help add
profile support:
https://github.com/russdill/juniper-vpn-py/issues/29
…but the maintainer hasn’t responded to it.
Has anyone figured out a way to select Juniper Pulse profiles using
openconnect, potentially combined with other helper scripts?
If not, if someone could provide a rough description of the work that
needs to be done to support them (either in openconnect or
juniper-vpn-py), I’d be willing to take a crack at it, as we need this
functionality.
_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel
