Hello there. I wonder if someone could help me with our scenario. We have a specific situation where we need to use OpenConnect to authenticate Global Protect using OKTA. However instead of using the SAML and all the known issues, we have decided to use a Radius agent, also provided by Okta. Now we have the following scenario. 1- All the Okta users have MFA enabled 2- We are using Okta radius agent to authenticate the portal as well as the gateway. 3- We have cookie authentication override enabled on firewalls. With this setup, using GP for Linux ( official client), the users need to provide user/pass/otp once. When authenticated, the user can take advantage of the cookie portal-userauthcookie and re authenticate without interaction while the cookie session is valid. I have to say that manually, OpenConnect works like a charm, the problem is that when I try to automate the process. Version: 8.10 Command: sudo echo "$VPN_PASSWORD" | openconnect --protocol=gp domain.com --user renatot --csd-wrapper=/usr/local/libexec/openconnect/hipreport.sh --token-mode=totp --token-secret="base32:XXXXXXXXX" --passwd-on-stdin --dump -vv First authentication on Portal ( using $VPN_PASSWORD) - Result OK > jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&ipv6-support=yes&clientos=Linux&os-version=linux-64&server=domain.com&computer=Thor&user=renatot&passwd=MYPASS Got HTTP response: HTTP/1.1 200 OK Second Authentication on Portal ( using the TOTP with OAUTH) - Result OK > jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&ipv6-support=yes&clientos=Linux&os-version=linux-64&server=domain.com&computer=Thor&inputStr=5e5edc1000044fda&user=renatot&passwd=123456 Got HTTP response: HTTP/1.1 200 OK The problem starts on the Gateway authentication phase. OpenConnect tries to send my OTP token again instead of my password. > jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&ipv6-support=yes&clientos=Linux&os-version=linux-64&server=domain.com&computer=Thor&inputStr=5e5edc1000044fda&user=renatot&passwd=123456 Got HTTP response: HTTP/1.1 512 Custom error By reading the documentation / Code I believe that this behaviour would be related to this commit: https://gitlab.com/openconnect/openconnect/-/commit/0303569d286d360da905b3c014daa99c65075524 My question: Is there a way to force the authentication sequence like - Pass/OTP for Portal && PASS/OTP for GW ? Could I do this using "form-entry" and modifying the labels on the firewall ( I have management on FW )? I wouldn't like to point the authentication directly to the GW using usergroup if there is a better way. If there is nothing else to do, what do you guys suggest ? I was thinking about to hijack the cookie on the portal ( with option --cookieonly) and use it in another attempt ( not sure if it would work ). Sorry about this long email I would appreciate if someone can give me any ideas here Best Regards Carlos _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
