Unable to connect to GlobalProtect VPN using Username and PIN + Passcode
Problem description
Unable to connect to company GlobalProtect VPN using OpenConnect client. Official GlobalProtect Linux client connects correctly.
Step to reproduce
- run
openconnect --protocol=gp vpn.mycompany.com -vvvv --dump-http-traffic --dump --authenticate -u rleinardi --certificate /etc/pki/payback/myhostname.pem
- entered the PEM pass phrase
- entered the PIN + Passcode (the passcode is a generated token valid only for 60s)
Expected result
The connection should be established
Actual result
After correctly entering the PIN + Passcode I am asked to authenticate again, this time using a password, but I'm not aware of any password associated to my VPN account: I only and always authenticated using Username and PIN + Passcode. If I type again my PIN + Passcode instead of the password, the client exit without establishing a connection nor showing a specific error.
Additional info
The official GlobalConnect client version 5.1.5.0-8 is able to successfully establish a connection:
$ globalprotect
vpn.mycompany.com - Please enter your PIN and Passcode
username(rleinardi):
Password:
Retrieving configuration...
Discovering network...
Connecting...
Connected
Operating system and openconnect version
openconnect version:
openconnect --version
OpenConnect version v8.10
Using GnuTLS 3.6.14. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
operating system
$ lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: Fedora
Description: Fedora release 32 (Thirty Two)
Release: 32
Codename: ThirtyTwo
GlobalProtect VPN information
openconnect --protocol=gp vpn.mycompany.com --authenticate -u rleinardi --certificate /etc/pki/payback/myhostname.pem
POST https://vpn.mycompany.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to [::1]:3128
Requesting HTTP proxy connection to vpn.mycompany.com:443
Enter PEM pass phrase:
Using client certificate 'myhostname.mycompany.com'
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Please enter your PIN and Passcode
Password:
POST https://vpn.mycompany.com/global-protect/getconfig.esp
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
vpn.mycompany.com (vpn.mycompany.com)
Please select GlobalProtect gateway.
GATEWAY: [vpn.mycompany.com]:vpn.mycompany.com
POST https://vpn.mycompany.com/ssl-vpn/login.esp
Got HTTP response: HTTP/1.1 512 Custom error
Unexpected 512 result from server
POST https://vpn.mycompany.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Enter login credentials
Password:
POST https://vpn.mycompany.com/ssl-vpn/login.esp
GlobalProtect login returned authentication-source=RSA_RADIUS
GlobalProtect login returned usually-equals-4=4
GlobalProtect login returned usually-equals-unknown=unknown
COOKIE='authcookie=REDACTED&portal=LP_Public-N&user=rleinardi&domain=%28empty_domain%29&computer=myhostname'
HOST='vpn.mycompany.com'
FINGERPRINT='pin-sha256:REDACTED'
Edited by Roberto Leinardi