David, I updated this MR and added some clarifications about --protocol=nc vs. --protocol=pulse to the docs: https://gitlab.com/openconnect/openconnect/merge_requests/48 Probably worth including in v8.05. Thanks, Dan On Mon, Aug 26, 2019 at 3:37 PM Daniel Lenski <dlenski@xxxxxxxxx> wrote: > > This is something that probably needs to be clarified in the docs for > OpenConnect v8.04+ (https://www.infradead.org/openconnect)… > > > With v8.04, I am unable to connect to my VPN if I use the > > --protocol=pulse option. I am still able to connect by using the > > --juniper option. > > The --juniper option is equivalent to --protocol=nc. Both tell > OpenConnect to use the old Juniper Network Connect protocol, which has > been supported by OpenConnect for a long time, including the TNCC > "securiteh" scanner and most of the known authentication options. > > The --juniper option is NOT equivalent to --protocol=pulse. The latter > tells OpenConnect to use the newer and (arguably) less badly-designed > Pulse Secure protocol, which was only very recently implemented in > OpenConnect. > > Most extant Juniper/Pulse servers support *both* the NC and Pulse > protocols. However, there are some newer servers which are willing to > speak the NC protocol for initial authentication, but then return an > "error 0x08" which we think means they only allow the Pulse protocol > for the tunnel. > > Current status: > - OpenConnect doesn't yet support all of the myriad and convoluted > authentication options used by Pulse, nor does it support Pulse+TNCC > (blame me for that: I said I'd work on it but just haven't had time). > - NC doesn't support IPv6 at all, while Pulse does support IPv6 (but > only in a very badly handicapped way: > https://gitlab.com/openconnect/openconnect/commit/b4f50f8bd5da7e6ac926ddd5095501edbc204cd0). > > I'd suggest using --prot=pulse if it works for you, and --prot=nc if > it doesn't. If the server has disabled support for NC and neither of > them work, then please send feedback with detailed logs (--dump -vvvv) > indicating what part *doesn't* work with Pulse. > > Thanks, > Dan > > > On Thu, Aug 22, 2019 at 4:23 PM William Jay <d0riath@xxxxxxxxxxx> wrote: > > > > Hi all, > > > > With v8.04, I am unable to connect to my VPN if I use the > > --protocol=pulse option. I am still able to connect by using the > > --juniper option. > > > > Here is the output (x's mine): > > Connected to xxx.xxx.xxx.xxx:443 > > SSL negotiation with xxx.xxx.xxx.xxx > > Connected to HTTPS on xxx.xxx.xxx.xxx > > Got HTTP response: HTTP/1.1 101 Switching Protocols > > Unhandled Pulse authentication packet, or authentication failure > > E 0000: 01 03 00 28 fe 00 0a 4c 00 00 00 01 00 00 00 4f > > |...(...L.......O| > > E 0010: 40 00 00 1a 01 01 00 12 fe 00 0a 4c 00 00 00 05 > > |@..........L....| > > E 0020: 01 00 8b 21 5f 5d 05 83 |...!_]..| > > Failed to obtain WebVPN cookie > > > > The above output was the same for both commands below: > > sudo openconnect --protocol=pulse xxx.xxx.xxx.xxx > > --authgroup="Dual-Factor Pulse Clients" --useragent nvsvc --user xxxxxx > > sudo openconnect --protocol=pulse xxx.xxx.xxx.xxx --user xxxxxx > > > > The VPN works with the official Pulse Secure client, so I think that's > > the right protocol, but maybe they're actually running with something > > that only works with the nc protocol and not pulse? > > > > Has anyone seen this before, or have any tips on what to try next? > > > > Thank you, > > Will > > _______________________________________________ > > openconnect-devel mailing list > > openconnect-devel@xxxxxxxxxxxxxxxxxxx > > http://lists.infradead.org/mailman/listinfo/openconnect-devel _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
