Authentication failure about pan-globalprotect-okta HOT 33 CLOSED

If You receive err: okta auth request failed. status code: 401, then You have simply entered invalid username or password.

That response is from Your OKTA via /api/v1/authn. You can try to request it manually (let's say via curl) and see why it responds with Authentication failed, for example, curl -vk 'https://okta/api/v1/authn' -H 'Accept: application/json' -H 'Content-Type: application/json' --data '{"username": "yourusername", "password": "yourpassword'}

You need to get token from gp-okta.py, before calling openconnect, otherwise it won't work.

If You are sure that password is correct, then maybe You are in domain and username is something like DOMAIN/username, DOMAIN\username, or username@domain. If You are sure that everything is fine, then I would have to see more output from logs to comment ... enable debug=1 in config and re-re-run.

from pan-globalprotect-okta.

Looks like I need to setup an MFA profile

from pan-globalprotect-okta.

❯ ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
err: no factor url found

from pan-globalprotect-okta.

I think I know what's the issue. Currently, the script only supports google factor authentication. Maybe You are using different factor.

If You could add print(factors) in okta_mfa and check, it would be helpful.

from pan-globalprotect-okta.

[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
[{u'profile': {u'name': u"Nicholas's iPhone", u'keys': [{u'use': u'sig', u'x5c': [u'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAimFLrwmPxKCiaHy9maHy+6kyPSgLB8qAlMoX4MySLoofoFlnHnOxbJvQq2Lm9Ne0sV41MJ6s/F8eKlUeBh23ryqkmRKoyLlhF1huwAqxk+gCku1HgtTLPPZFNDOeL3rOxarlS3K3lhgCi/E9/ZaVJoiv0n4cl32C6rPMTt5HXZWW/yBShbQzEv1jLKo7LQRQR2wteBXdHBkMhktJ98IkNLuuZ1rduX6woYGl4MFbN3WrfB/0VppfiSoq9aQSg9amNPwbqaUHvhYhdSasTKNT8/PMVo7oh/xtXsi6feP5Fr1mw4+6XAKUQepXc1WOXZpQVa7JngV1gpAtdieyVrlqIQIDAQAB'], u'kty': u'PKIX', u'kid': u'default'}], u'credentialId': u'nmoore@.io', u'platform': u'IOS', u'version': u'12.0', u'deviceType': u'SmartPhone_IPhone'}, u'id': u'opf3fuweJyOBUYoEO355', u'factorType': u'push', u'_links': {u'verify': {u'href': u'https://.okta.com/api/v1/authn/factors/opf3fuweJyOBUYoEO355/verify', u'hints': {u'allow': [u'POST']}}}, u'provider': u'OKTA', u'vendorName': u'OKTA'}, {u'profile': {u'credentialId': u'nmoore@****.io'}, u'id': u'ost3g29h5gj7zf5rE355', u'factorType': u'token:software:totp', u'_links': {u'verify': {u'href': u'https://*****.okta.com/api/v1/authn/factors/ost3g29h5gj7zf5rE355/verify', u'hints': {u'allow': [u'POST']}}}, u'provider': u'OKTA', u'vendorName': u'OKTA'}]
err: no factor url found

from pan-globalprotect-okta.

Ok, so You are using OKTA factor, that's the issue. I have used only Google factor and that's what I implemented. I can try to change mine to OKTA factor and verify how it works.

P.S. do You know what's the difference between Google and OKTA factors?

from pan-globalprotect-okta.

Heh, it looks like it's completely the same... just a TOPT using OKTA application, not Google application. At least, from user experience. Will investigate a bit and update this issue.

from pan-globalprotect-okta.

So, @nicksmoore, I've implemented also OKTA TOTP support. Make sure to change .conf file accordingly, i.e, now there is totp.okta, totp.google, etc. and topt_secret is deprecated. Take a look at example config file. I tested with both with my account. If You have multiple totp factors added to OKTA account, then this script will prefer the one which is in configuration file.

By the way, to use TOTP, you will need pyotp. Make sure You have it installed.

from pan-globalprotect-okta.

thank you for adding this, I'm curious of the level of effort it would require to add okta verify push factor?

from pan-globalprotect-okta.

Can You verify that this works now (OKTA TOTP)?

I'm not sure, haven't used this... would it be useful for You? What's the user experience, i.e., what do You need to do for push factor?

from pan-globalprotect-okta.

I'm trying to obtain the base32 token but not quite sure how I don't see anywhere in the okta factor api calls.

https://developer.okta.com/docs/api/resources/factors

nimoore@C02PR08EG3QD   ~/pan-globalprotect-okta    master   ./gp-okta.py gp-okta.conf    594  22:45:45 
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
Traceback (most recent call last):
File "./gp-okta.py", line 334, in
main()
File "./gp-okta.py", line 321, in main
token = okta_auth(conf, s)
File "./gp-okta.py", line 175, in okta_auth
session_token = okta_mfa(conf, s, j)
File "./gp-okta.py", line 210, in okta_mfa
return okta_mfa_totp(conf, s, totp_factors, state_token)
File "./gp-okta.py", line 232, in okta_mfa_totp
code = totp.now()
File "/usr/local/lib/python2.7/site-packages/pyotp/totp.py", line 44, in now
return self.generate_otp(self.timecode(datetime.datetime.now()))
File "/usr/local/lib/python2.7/site-packages/pyotp/otp.py", line 33, in generate_otp
hasher = hmac.new(self.byte_secret(), self.int_to_bytestring(input), self.digest)
File "/usr/local/lib/python2.7/site-packages/pyotp/otp.py", line 50, in byte_secret
return base64.b32decode(self.secret, casefold=True)
File "/usr/local/Cellar/python@2/2.7.14_3/Frameworks/Python.framework/Versions/2.7/lib/python2.7/base64.py", line 229, in b32decode
raise TypeError('Non-base32 digit found')
TypeError: Non-base32 digit found

from pan-globalprotect-okta.

https://developer.okta.com/docs/api/resources/factor_admin

from pan-globalprotect-okta.

Just for some context, I used my API token which I knew wouldn't work but just to gen some output.

from pan-globalprotect-okta.

You probably entered wrong secret. You must use TOTP secret, not token, which is in format "ABCDEFGHIJKLMNOP". You can get it when creating 2FA, by scanning it with normal QR code reader or by backing up the OTP program (if it allows). I use andOTP and it allows such thing.

If You already have set up 2FA and don't know the OTP secret, You can reset it. Just did it for my colleage. He scanned QR code, wrote down the secret and then scanned it with normal OTP application.

from pan-globalprotect-okta.

Just wanted to provide an update I was able to retrieve the TOTP secret but currently running into an issue with activating the TOTP factor through the API... I'll provide another update once I resolve this.

from pan-globalprotect-okta.

I was able to extract the base32 secret and validate TOTP authentication through the Okta API, however when I run the script I'm still getting an authentication error. My suspicion here is that there is nothing in the conf file for the 6 digit passcode. When I authenticate through the API it must be in the body.

curl -X POST
https://omniex.okta.com/api/v1/users/00u3e0z12K0mMbHBq355/factors/ost1ea7aqOyvQBoTA356/verify
-H 'Accept: application/json'
-H 'Authorization: SSWS {API Token}'
-H 'Cache-Control: no-cache'
-H 'Content-Type: application/json'
-H 'Postman-Token: *****************'
-d '{
"passCode": "305824"
} '

https://0bin.net/paste/Nd4m0s77yaXnLdgx#TpbVhA45aOOqWOCTWqI3zA-aHkjP3cpZgqI20EkJPcd

from pan-globalprotect-okta.

These have been very helpful https://developer.okta.com/reference/postman_collections/

from pan-globalprotect-okta.

It may just be easier to add functionality for push factor?

from pan-globalprotect-okta.

@nicksmoore, I don't understand what are You trying to do.... If you know the TOTP secret, then my program will generate passcodes automatically and will make according API request. You just need to add TOTP secret in configuration file and that's it! Like, totp.okta=ABC....

Of course, there is no way to add passcode in configuration file, because passcode changes every 60 seconds. passcode on Your phone (and in this software) is being generated by TOTP secret + current date. That's how 2FA TOTP works.

I don't understand what You mean to achieve by "TOTP authentication through the Okta API". It is being done for You by this software! Can You explain what is Your goal? Can You provide output from this software, when You add TOTP secret? Previously You gave output with exception, which happened because You didn't specify TOPT secret, but token. What issues are You facing right now?

from pan-globalprotect-okta.

❯ echo "aZiNrRjRzDgbOUAdij9TL+WGKVMkqPdeqckey30RcpdU6n1flBB5CWkwA0nCNvssH018QiVY1dq/aNLulDEdIpTVPJuV6SlVNgbBj1sGffdd+2sKXSBIKGd5YsfOabhykp2Sxu/i+2Q8c+ndTYH9jHT4WHh3vQkKuHH746Dh9K7lHo64XK4txJlbxBuDM2WdugSmTn6q2Brg5tTFiJotmhPgM0di1Srjkj1l3IuDGQW14jM3ZJ5EsgjOL4GUkGnZOFX09GiO0VhQHSksDK9vPnTVaU6BF2g61E4e+EG6VkGYe5c2MViv6CZqz+N75fIGvHdb2lO3NEjod9PzrIjXng==" | openconnect --protocol=gp -u "[email protected]" --usergroup portal:portal-userauthcookie --passwd-on-stdin https://vpn-lax.omniex.io
Please enter your username and password
portal-userauthcookie:
fgets (stdin): Inappropriate ioctl for device

from pan-globalprotect-okta.

@nicksmoore where did Your comments went? I was curious about it not working on Mac, as I also have one, not just for daily usage. Would like to fix it, if this really is an issue.

Regarding Your latest issue, please, check README. I added it to known issues. Basically, You need to set bug.nl=0 to bug.nl=1 in Your configuration, until upstream openconnect fixes it. You can read up more about it in dlenski/openconnect#116 (comment)

P.S. there are a lot of new features (also that bug.nl), if You haven't pulled newest version; please do.

from pan-globalprotect-okta.

I believe the issue in the mac is I was running pyotp on version Python 2.7.14 (Mac) vs. Python 2.7.13 on Fedora.
http://blog.pinaxproject.com/2015/12/08/how-test-against-multiple-python-versions-parallel/

I will review the bug.nl issue later this evening.

from pan-globalprotect-okta.

Pulled down the newest version updated bug.nl

debug = 0
vpn_url = https://vpn-lax.****.io
okta_url = https://****.okta.com
username = nmoore
password = ******
totp.okta = *****
bug.nl = 1

❯ ./gp-okta.py gp-okta.conf
[INFO] prelogin request
[INFO] okta saml request
[INFO] okta auth request
[INFO] mfa okta totp request
[INFO] sessionToken: 20111cMmspNKDEktFcZZ1GY3CqNrG6K774_62Kosv-yVHw1ML63LLJf
[INFO] okta redirect request
[INFO] okta redirect form request
[INFO] saml-username: nmoore@****.io
[INFO] prelogin-cookie: EQMv20myDiKDpUruzsWzT5nwBa21NoVS6JgW1vwFuuGfRjf1hVdYvd+J3lDwNcQN
[INFO] getconfig request
[INFO] portal-userauthcookie: P8M2FO0coiNSor/zhFE7gI5P2j2SmqwuHijeJp10YcaiRrmMMa+dknxVOpfE3ljpqvPlKpv91hf7KvkPH22+H+8I9zELqX2th/qUICFx05NCteVagpAzJEDDx3vmLAY/+QVAEazW7g4zGKPY1Q+kBBoOVHBr44TYX5D5wzWxNli0s2Txzzmi6RvDO920EelJ4pVtPMBxXX/VHTD4XzB7Btj72QJxuG8aK34pDN/i2Z7a0JjlNMjjtx5aQStEu74AppPauMkDGcz4v8M15eDcKz2SEsAf0hazH4olA8ZLEQipDoWbe85uUgqbl8l11QHsRbvHbnLxNoBLw8jijI4awg==
Traceback (most recent call last):
File "./gp-okta.py", line 372, in
main()
File "./gp-okta.py", line 351, in main
cmd += ' --passwd-on-stdin ' + conf.get('openconnect_args') + ' "{1}"'
TypeError: cannot concatenate 'str' and 'NoneType' objects

from pan-globalprotect-okta.

@nicksmoore this was because openconnect_args was not defined (or commented out) and not left empty. I fixed it.

from pan-globalprotect-okta.

pan-globalprotect-okta git/master*  
❯ printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | openconnect --protocol=gp -u "[email protected]" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.omniex.io"
Please enter your username and password
portal-userauthcookie: 
POST https://vpn-lax.omniex.io/global-protect/getconfig.esp
Connected to [2607:7700:0:15::454b:1492]:443
SSL negotiation with vpn-lax.omniex.io
Connected to HTTPS on vpn-lax.omniex.io
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
1 gateway servers available:
  GP-EXT (vpn-lax.omniex.io)
Please select GlobalProtect gateway.
GATEWAY: [GP-EXT]:GP-EXT
POST https://vpn-lax.omniex.io/ssl-vpn/login.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
GlobalProtect login returned authentication-source=Okta SAML
POST https://vpn-lax.omniex.io/ssl-vpn/getconfig.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1406 for ESP tunnel
POST https://vpn-lax.omniex.io/ssl-vpn/hipreportcheck.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
WARNING: Server asked us to submit HIP report with md5sum 2166bf50594d69cadcca9a24af8089fa.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Connected as 192.168.2.235, using SSL, with ESP in progress
Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See http://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed
Unknown error; exiting.
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  
❯ ping sm1-utilx001
ping: sm1-utilx001: Name or service not known
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  
❯ sudo printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | openconnect --protocol=gp -u "[email protected]" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.omniex.io"
[sudo] password for nmoore: 
Please enter your username and password
portal-userauthcookie: 
POST https://vpn-lax.omniex.io/global-protect/getconfig.esp
Connected to [2607:7700:0:15::454b:1492]:443
SSL negotiation with vpn-lax.omniex.io
Connected to HTTPS on vpn-lax.omniex.io
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
1 gateway servers available:
  GP-EXT (vpn-lax.omniex.io)
Please select GlobalProtect gateway.
GATEWAY: [GP-EXT]:GP-EXT
POST https://vpn-lax.omniex.io/ssl-vpn/login.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
GlobalProtect login returned authentication-source=Okta SAML
POST https://vpn-lax.omniex.io/ssl-vpn/getconfig.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1406 for ESP tunnel
POST https://vpn-lax.omniex.io/ssl-vpn/hipreportcheck.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
WARNING: Server asked us to submit HIP report with md5sum 2166bf50594d69cadcca9a24af8089fa.
VPN connectivity may be disabled or limited without HIP report submission.
You need to provide a --csd-wrapper argument with the HIP report submission script.
Connected as 192.168.2.236, using SSL, with ESP in progress
Failed to bind local tun device (TUNSETIFF): Operation not permitted
To configure local networking, openconnect must be running as root
See http://www.infradead.org/openconnect/nonroot.html for more information
Set up tun device failed
Unknown error; exiting.
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  6s
❯ ping sm1-utilx001
ping: sm1-utilx001: Name or service not known
                                                                                                                                                                                                                                               
pan-globalprotect-okta git/master*  
❯ openconnect --version
OpenConnect version v7.08-127-gf54cc9a5
Using OpenSSL. Features present: TPM (OpenSSL ENGINE not present), HOTP software token, TOTP software token, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp

from pan-globalprotect-okta.

❯ printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | sudo openconnect --protocol=gp -u "nmoore@****.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.***.io"
Unknown VPN protocol 'gp'

from pan-globalprotect-okta.

When I was running connect w/o 2FA I had to run as root, but for some reason when I do here I get gp uknown protocol

❯ sudo su root
[root@sm1-nmoore pan-globalprotect-okta]# printf "\nKG+Cfl+RCp4OpQ5UVdRnmYsbQL03BfskdvLUj/i2hRUinNMxIkNcRdvOWdJMYBjRvmA70+9DHy3k67YzpYMS8W+y0oLAIglY+wvCzsYK5DH840g5/UCewjC9iW3ivHS7BfVC5exJ8CcFa6FqLpF4aF4DTn3xgvL5M74BO2l8c44BCYPiVIssfSJwn/nXyEoxswjUakDOlW+t+biwDIVNSUQMnjVtk7ORHJ+5u2fZ4YGzYbFBoJuer9C0Wsfjg27H+Eem0vaHVVgjH5bX6/p17crMZtESP+MYUPdNiYOSB5bYhWd3MtGi2eD79phaSV4UubPV9+xddm9MGOFBfb4MBA==" | openconnect --protocol=gp -u "nmoore@****.io" --usergroup portal:portal-userauthcookie --passwd-on-stdin  "https://vpn-lax.***.io"
Unknown VPN protocol 'gp'

from pan-globalprotect-okta.

Running openconnect as root to GP-GW w/o 2FA does not produce the same error.

❯ sudo ./openconnect --protocol=gp vpn-ny5.***.io
[sudo] password for nmoore: 
Please enter your username and password
Username: nmoore
Password: 
POST https://vpn-ny5.omniex.io/ssl-vpn/login.esp
Connected to [2607:7700:0:15::8367:74c6]:443
SSL negotiation with vpn-ny5.omniex.io
Connected to HTTPS on vpn-ny5.omniex.io
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
GlobalProtect login returned authentication-source=Local_Auth
POST https://vpn-ny5.omniex.io/ssl-vpn/getconfig.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Tunnel timeout (rekey interval) is 180 minutes.
Idle timeout is 180 minutes.
No MTU received. Calculated 1406 for ESP tunnel
POST https://vpn-ny5.omniex.io/ssl-vpn/hipreportcheck.esp
Ignoring unknown HTTP response line '                                           script-src 'self' 'unsafe-inline';'
Ignoring unknown HTTP response line '                                           style-src 'self' 'unsafe-inline';'
Connected as 10.5.11.238, using SSL, with ESP in progress
ESP session established with server
ESP tunnel connected; exiting HTTPS mainloop.

from pan-globalprotect-okta.

@nicksmoore because in one case You run openconnect (which is taken from PATH environment variable) and in other case You run ./openconnect (which is taken from current directory). Adjust openconnect_cmd in .conf file as You need, e.g., sudo ./openconnect and everything will be fine.

from pan-globalprotect-okta.

It's authenticated... I should have known as it was a permissions issue...

from pan-globalprotect-okta.

So everything is good, we can close the ticket?

from pan-globalprotect-okta.

please do, also please consider adding push factor 👍

from pan-globalprotect-okta.

ok, closing this issue and adding #6 for updates regarding push factor.

from pan-globalprotect-okta.