This is something that probably needs to be clarified in the docs for OpenConnect v8.04+ (https://www.infradead.org/openconnect)… > With v8.04, I am unable to connect to my VPN if I use the > --protocol=pulse option. I am still able to connect by using the > --juniper option. The --juniper option is equivalent to --protocol=nc. Both tell OpenConnect to use the old Juniper Network Connect protocol, which has been supported by OpenConnect for a long time, including the TNCC "securiteh" scanner and most of the known authentication options. The --juniper option is NOT equivalent to --protocol=pulse. The latter tells OpenConnect to use the newer and (arguably) less badly-designed Pulse Secure protocol, which was only very recently implemented in OpenConnect. Most extant Juniper/Pulse servers support *both* the NC and Pulse protocols. However, there are some newer servers which are willing to speak the NC protocol for initial authentication, but then return an "error 0x08" which we think means they only allow the Pulse protocol for the tunnel. Current status: - OpenConnect doesn't yet support all of the myriad and convoluted authentication options used by Pulse, nor does it support Pulse+TNCC (blame me for that: I said I'd work on it but just haven't had time). - NC doesn't support IPv6 at all, while Pulse does support IPv6 (but only in a very badly handicapped way: https://gitlab.com/openconnect/openconnect/commit/b4f50f8bd5da7e6ac926ddd5095501edbc204cd0). I'd suggest using --prot=pulse if it works for you, and --prot=nc if it doesn't. If the server has disabled support for NC and neither of them work, then please send feedback with detailed logs (--dump -vvvv) indicating what part *doesn't* work with Pulse. Thanks, Dan On Thu, Aug 22, 2019 at 4:23 PM William Jay <d0riath@xxxxxxxxxxx> wrote: > > Hi all, > > With v8.04, I am unable to connect to my VPN if I use the > --protocol=pulse option. I am still able to connect by using the > --juniper option. > > Here is the output (x's mine): > Connected to xxx.xxx.xxx.xxx:443 > SSL negotiation with xxx.xxx.xxx.xxx > Connected to HTTPS on xxx.xxx.xxx.xxx > Got HTTP response: HTTP/1.1 101 Switching Protocols > Unhandled Pulse authentication packet, or authentication failure > E 0000: 01 03 00 28 fe 00 0a 4c 00 00 00 01 00 00 00 4f > |...(...L.......O| > E 0010: 40 00 00 1a 01 01 00 12 fe 00 0a 4c 00 00 00 05 > |@..........L....| > E 0020: 01 00 8b 21 5f 5d 05 83 |...!_]..| > Failed to obtain WebVPN cookie > > The above output was the same for both commands below: > sudo openconnect --protocol=pulse xxx.xxx.xxx.xxx > --authgroup="Dual-Factor Pulse Clients" --useragent nvsvc --user xxxxxx > sudo openconnect --protocol=pulse xxx.xxx.xxx.xxx --user xxxxxx > > The VPN works with the official Pulse Secure client, so I think that's > the right protocol, but maybe they're actually running with something > that only works with the nc protocol and not pulse? > > Has anyone seen this before, or have any tips on what to try next? > > Thank you, > Will > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
