Unhandled Pulse authentication packet, "!res"
I recently had to start using Pulse Secure in order to connect to a client's environment. I believe I have OpenConnect setup correctly under Ubuntu 20.04 and it very nearly works, my output does look a little different the similar issues I have found.
I am prompted for my password and then for the code on my "grid card" (I have to look up the value in specified coordinates). Yet at the end I am not connected to the VPN. I am invoking OpenConnect with this command:
#!/bin/bash
sudo openconnect https://URL_FOR_ENDPOINT \
--servercert pin-sha256:SHA_CODE_FOR_ENDPOINT= \
--protocol=pulse \
--user ACCOUNT_NAME
Below is a copy of the output from OpenConnect with the --dump-http-traffic -vvvv
flags set.
Attempting to connect to server ENDPOINT_HOST_IP:443
Connected to ENDPOINT_HOST_IP:443
SSL negotiation with ENDPOINT_HOST
Server certificate verify failed: signer not found
Connected to HTTPS on ENDPOINT_HOST
> GET /ACCOUNT_REALM HTTP/1.1
> Host: ENDPOINT_HOST
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Content-Type: EAP
> Upgrade: IF-T/TLS 1.0
> Content-Length: 0
>
Got HTTP response: HTTP/1.1 101 Switching Protocols
Content-type: application/octet-stream
Pragma: no-cache
Upgrade: IF-T/TLS 1.0
Connection: Upgrade
Strict-Transport-Security: max-age=31536000
> 0000: 00 00 55 97 00 00 00 01 00 00 00 14 00 00 00 00 |..U.............|
> 0010: 00 01 02 02 |....|
Read 20 bytes of IF-T/TLS record
< 0000: 00 00 55 97 00 00 00 02 00 00 00 14 00 00 01 f5 |..U.............|
< 0010: 00 00 00 02 |....|
IF-T/TLS version from server: 2
> 0000: 00 00 0a 4c 00 00 00 88 00 00 00 42 00 00 00 01 |...L.......B....|
> 0010: 63 6c 69 65 6e 74 48 6f 73 74 4e 61 6d 65 3d 57 |clientHostName=W|
> 0020: 65 64 6e 65 73 64 61 79 20 63 6c 69 65 6e 74 49 |ednesday clientI|
> 0030: 70 3d 31 39 32 2e 31 36 38 2e 31 31 2e 31 31 34 |p=192.168.11.114|
> 0040: 0a 00 |..|
Read 20 bytes of IF-T/TLS record
< 0000: 00 00 55 97 00 00 00 05 00 00 00 14 00 00 01 f6 |..U.............|
< 0010: 00 0a 4c 01 |..L.|
> 0000: 00 00 55 97 00 00 00 06 00 00 00 22 00 00 00 02 |..U........"....|
> 0010: 00 0a 4c 01 02 01 00 0e 01 61 6e 6f 6e 79 6d 6f |..L......anonymo|
> 0020: 75 73 |us|
Read 112 bytes of IF-T/TLS record
< 0000: 00 00 55 97 00 00 00 05 00 00 00 70 00 00 01 f7 |..U........p....|
< 0010: 00 0a 4c 01 01 02 00 5c fe 00 0a 4c 00 00 00 01 |..L....\...L....|
< 0020: 00 00 0d 49 80 00 00 10 00 00 05 83 00 00 00 04 |...I............|
< 0030: 00 00 0d 4a 80 00 00 10 00 00 05 83 00 00 00 01 |...J............|
< 0040: 00 00 0d 56 80 00 00 30 00 00 05 83 63 63 61 66 |...V...0....ccaf|
< 0050: 37 35 34 31 2d 31 66 65 30 2d 34 38 66 32 2d 61 |7541-1fe0-48f2-a|
< 0060: 64 64 64 2d 63 64 31 65 66 31 63 31 64 34 35 62 |ddd-cd1ef1c1d45b|
AVP 0x583/0xd49: 00 00 00 04
AVP 0x583/0xd4a: 00 00 00 01
AVP 0x583/0xd56: 'ccaf7541-1fe0-48f2-addd-cd1ef1c1d45b'
> 0000: 00 00 55 97 00 00 00 06 00 00 00 50 00 00 00 03 |..U........P....|
> 0010: 00 0a 4c 01 02 02 00 3c fe 00 0a 4c 00 00 00 01 |..L....<...L....|
> 0020: 00 00 0d 70 80 00 00 2d 00 00 05 83 4f 70 65 6e |...p...-....Open|
> 0030: 20 41 6e 79 43 6f 6e 6e 65 63 74 20 56 50 4e 20 | AnyConnect VPN |
> 0040: 41 67 65 6e 74 20 76 38 2e 30 35 2d 31 00 00 00 |Agent v8.05-1...|
Read 68 bytes of IF-T/TLS record
< 0000: 00 00 55 97 00 00 00 05 00 00 00 44 00 00 01 f8 |..U........D....|
< 0010: 00 0a 4c 01 01 03 00 30 fe 00 0a 4c 00 00 00 01 |..L....0...L....|
< 0020: 00 00 00 4f 40 00 00 24 01 01 00 1c 06 45 6e 74 |...O@..$.....Ent|
< 0030: 65 72 20 53 65 63 75 72 49 44 20 50 41 53 53 43 |er SecurID PASSC|
< 0040: 4f 44 45 3a |ODE:|
AVP 79: 01 01 00 1c 06 45 6e 74 65 72 20 53 65 63 75 72 49 44 20 50 41 53 53 43 4f 44 45 3a
Pulse password general token code request
Token code request:
Please enter your passcode:
> 0000: 00 00 55 97 00 00 00 06 00 00 00 4c 00 00 00 04 |..U........L....|
> 0010: 00 0a 4c 01 02 03 00 38 fe 00 0a 4c 00 00 00 01 |..L....8...L....|
> 0020: 00 00 0d 6d 80 00 00 14 00 00 05 83 62 67 30 31 |...m........ACCT|
> 0030: 6d 69 6c 65 00 00 00 4f 40 00 00 16 02 01 00 0e |NAME...O@.......|
> 0040: 06 99 99 99 99 99 99 99 99 99 00 00 |.PASSWORD..|
Read 140 bytes of IF-T/TLS record
< 0000: 00 00 55 97 00 00 00 05 00 00 00 8c 00 00 01 f9 |..U.............|
< 0010: 00 0a 4c 01 01 04 00 78 fe 00 0a 4c 00 00 00 01 |..L....x...L....|
< 0020: 00 00 00 4f 40 00 00 69 01 02 00 61 06 45 6e 74 |...O@..i...a.Ent|
< 0030: 65 72 20 61 20 72 65 73 70 6f 6e 73 65 20 74 6f |er a response to|
< 0040: 20 74 68 65 20 67 72 69 64 20 63 68 61 6c 6c 65 | the grid challe|
< 0050: 6e 67 65 20 5b 45 35 5d 20 5b 48 32 5d 20 5b 4a |nge [E5] [H2] [J|
< 0060: 32 5d 20 75 73 69 6e 67 20 61 20 63 61 72 64 20 |2] using a card |
< 0070: 77 69 74 68 20 73 65 72 69 61 6c 20 6e 75 6d 62 |with serial numb|
< 0080: 65 72 20 35 32 35 32 30 2e 00 00 00 |er 99999....|
AVP 79: 01 02 00 61 06 45 6e 74 65 72 20 61 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 74 68 65 20 67 72 69 64 20 63 68 61 6c 6c 65 6e 6
7 65 20 5b 45 35 5d 20 5b 48 32 5d 20 5b 4a 32 5d 20 75 73 69 6e 67 20 61 20 63 61 72 64 20 77 69 74 68 20 73 65 72 69 61 6c 20 6e 7
5 6d 62 65 72 20 35 32 35 32 30 2e
Pulse password general token code request
Enter a response to the grid challenge [E5] [H2] [J2] using a card with serial number 99999.
Username:ACCOUNT_NAME
Please enter response:
> 0000: 00 00 55 97 00 00 00 06 00 00 00 44 00 00 00 05 |..U........D....|
> 0010: 00 0a 4c 01 02 04 00 30 fe 00 0a 4c 00 00 00 01 |..L....0...L....|
> 0020: 00 00 0d 6d 80 00 00 14 00 00 05 83 62 67 30 31 |...m........ACCT|
> 0030: 6d 69 6c 65 00 00 00 4f 40 00 00 10 02 02 00 08 |NAME...O@.......|
> 0040: 06 77 6d 36 |.wm6|
Read 56 bytes of IF-T/TLS record
< 0000: 00 00 55 97 00 00 00 05 00 00 00 38 00 00 01 fa |..U........8....|
< 0010: 00 0a 4c 01 01 05 00 24 fe 00 0a 4c 00 00 00 01 |..L....$...L....|
< 0020: 00 00 00 4f 40 00 00 15 01 01 00 0d fe 00 0a 4c |...O@..........L|
< 0030: 00 00 00 03 21 72 65 73 |....!res|
AVP 79: 01 01 00 0d fe 00 0a 4c 00 00 00 03 21
Unhandled Pulse authentication packet, or authentication failure
E 0000: 01 05 00 24 fe 00 0a 4c 00 00 00 01 00 00 00 4f |...$...L.......O|
E 0010: 40 00 00 15 01 01 00 0d fe 00 0a 4c 00 00 00 03 |@..........L....|
E 0020: 21 72 65 73 |!res|
Failed to obtain WebVPN cookie
It's definitely validating the grid card response ("wm6"). I tested by deliberately providing an incorrect grid card response, the output is different.
...
Enter a response to the grid challenge [A3] [G5] [I4] using a card with serial number 99999.
Username:ACCOUNT_NAME
Please enter response:
Failed authentication for user REALM/ACCOUNT_NAME. Invalid response to a challenge. Enter a response
to the grid challenge [A3] [G5] [I4] using a card with serial number 99999.
I tried to connect with the "nc" protocol but it failed in a different way. I could find the requuest for the grid card code in the HTML visible with the debugging flags set and entered it at the fmDefender
password prompt but was not connected to the VPN.
GET https://ENDPOINT_HOST/tdec-admin
Attempting to connect to server ENDPOINT_IP:443
Connected to ENDPOINT_IP:443
SSL negotiation with ENDPOINT_HOST
Server certificate verify failed: signer not found
Connected to HTTPS on ENDPOINT_HOST
> GET /tdec-admin HTTP/1.1
> Host: ENDPOINT_HOST
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 302 Found
Location: /dana-na/auth/url_35/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_35; path=/dana-na/; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/tdec-admin; path=/; secure
Connection: close
Content-Length: 0
Strict-Transport-Security: max-age=31536000
HTTP body length: (0)
GET https://ENDPOINT_HOST/dana-na/auth/url_35/welcome.cgi
SSL negotiation with ENDPOINT_HOST
Server certificate verify failed: signer not found
Connected to HTTPS on ENDPOINT_HOST
> GET /dana-na/auth/url_35/welcome.cgi HTTP/1.1
> Host: jvpn.tn.gov
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: DSSIGNIN=url_35; DSSignInURL=/tdec-admin
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Thu, 10 Dec 2020 16:42:30 GMT
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
<
< <html>
< <head>
< <meta http-equiv="Content-Language">
< <meta http-equiv="Content-Type" content="text/html">
< <meta name="robots" content="none">
< <title>Sign-In Notification</title>
< <script src="/dana-na/css/ds.js"></script>
< <script>
< WriteCSS();
< </script>
< <noscript>
< <link rel="stylesheet" href="/dana-na/css/ds.css">
< </noscript>
< </head>
<
< <body bgcolor="#FFFFFF" color="#000000" link="#3366CC" vlink="#CC6699" alink="#3366CC" leftmargin="0" topmargin="0" rightmargin="0
" marginwidth="0" marginheight="0">
<
< <table border="0" width="100%" cellspacing="0" cellpadding="3">
< <tr>
< <td bgcolor="#E3E3E3"><img border="0" src="welcome.cgi?p=logo&signinId=url_35" alt="Logo"></td>
< <td bgcolor="#E3E3E3" align="right"> </td>
< </tr>
< </table>
<
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td bgcolor="#000000" colspan="2"><img border="0" src="/dana-na/auth/url_35/imgs/space.gif" width="1" height="1"></td>
< </tr>
< </table>
<
< <blockquote>
< <form name="frmLogin" action="welcome.cgi" method="POST" autocomplete="off">
<
< <table align="center" width="80%">
< <tr>
< <td class="cssPageTitle"><b>Pre Sign-In Notification</b> </td>
< </tr>
< <tr>
< <td>
< <textarea name="sn-preauth-text" rows="25" cols="100" readonly style="overflow:'scroll'">This system may contain Gove
rnment information, which is restricted to authorized users ONLY. Unauthorized access, use, misuse, or modification of this compute
r system or of the data contained herein or in transit to/from this system constitutes a violation of state and federal laws inc
luding, but not limited to Title 18, United States Code, Section 1030, and may subject the individual to Criminal and Civil penaltie
s pursuant to Title 26, United States Code, Sections 7213(a), 7213A (the Taxpayer Browsing Protection Act), and 7431.
<
< This system and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. S
uch monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or store
d in this system by a user. If monitoring reveals possible evidence of criminal activity, such evidence may be provided to Law Enfo
rcement Personnel.
<
< ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING and SHOULD HAVE NO EXPECTATION OF PRIVACY for any information store
d or communicated via this system.
< </textarea>
< </td>
< </tr>
< <tr>
< <td> </td>
< </tr>
< <tr>
< <td>
< <input type="submit" name="sn-preauth-proceed" value="Proceed"/>
< <input type="submit" name="sn-preauth-decline" value="
Decline"/> </td>
< </tr>
< </table>
<
<
< </form>
< </blockquote>
<
< <table border="0" cellspacing="0" cellpadding="0" width="100%">
< <tr>
< <td background="/dana-na/auth/url_35/imgs/footerbg.gif">
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="1" height="2"></td>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td>
< </tr>
< <tr valign="top">
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="1"></td>
< <td nowrap ><br><br><br><br>
< <td align="right"><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td
>
< </tr>
< </table>
< </td>
< </tr>
< <tr>
< <td colspan="2"><img border="0" src="/dana-na/auth/url_35/imgs/space.gif" height="6" width="1" alt=""></td>
< </tr>
< </table>
<
< </body>
< </html>
Ignoring unknown form submit item 'sn-preauth-decline'
This system may contain Government information, which is restricted to authorized users ONLY. Unauthorized access, use, misuse, or
modification of this computer system or of the data contained herein or in transit to/from this system constitutes a violation of st
ate and federal laws including, but not limited to Title 18, United States Code, Section 1030, and may subject the individual to Cri
minal and Civil penalties pursuant to Title 26, United States Code, Sections 7213(a), 7213A (the Taxpayer Browsing Protection Act),
and 7431.
This system and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Suc
h monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored
in this system by a user. If monitoring reveals possible evidence of criminal activity, such evidence may be provided to Law Enforc
ement Personnel.
ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING and SHOULD HAVE NO EXPECTATION OF PRIVACY for any information stored
or communicated via this system.
POST https://ENDPOINT_HOST/dana-na/auth/url_35/welcome.cgi
> POST /dana-na/auth/url_35/welcome.cgi HTTP/1.1
> Host: ENDPOINT_HOST
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: DSSIGNIN=url_35; DSSignInURL=/tdec-admin
> NCP-Version: 3
> X-Pad: 00000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 26
>
> sn-preauth-proceed=Proceed
Got HTTP response: HTTP/1.1 302 Moved
Set-Cookie: DSSigninNotif=1; path=/; secure
Date: Thu, 10 Dec 2020 16:42:30 GMT
location: /dana-na/auth/url_35/welcome.cgi?
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
< Set-Cookie: DSSigninNotif=1; path=/; secure
< Date: Thu, 10 Dec 2020 16:42:30 GMT
< x-frame-options: SAMEORIGIN
< Content-Type: text/html
<
<
< <html>
< <head>
< <meta http-equiv="Content-Language">
< <meta http-equiv="Content-Type" content="text/html">
< <meta name="robots" content="none">
< <title>Pulse Connect Secure</title>
<
< <script src="/dana-na/css/ds.js"></script>
< <script>
< WriteCSS();
< </script>
< <noscript>
< <link rel="stylesheet" href="/dana-na/css/ds.css">
< </noscript>
<
< <script>
< <!--
< if (window.top != self) {
< top.location = location;
< }
< if(window.name == "newpincancel" || window.name == "nexttokencancel") {
< window.close();
< }
< //--></script>
< <script src="/dana-na/auth/lastauthserverused.js"></script>
< <script>function deletepreauth() {
< document.cookie = "DSPREAUTH="+ escape("")+ ";path=/dana-na/;expires=12-Nov-1996";
< }
< </script>
<
< </head>
<
< <body onload="FinishLoad(0)" bgcolor="#FFFFFF" color="#000000" link="#3366CC" vlink="#CC6699" alink="#3366CC" leftmargin="0" topma
rgin="0" rightmargin="0" marginwidth="0" marginheight="0">
<
< <table border="0" width="100%" cellspacing="0" cellpadding="3">
< <tr>
< <td bgcolor="#E3E3E3"><img border="0" src="welcome.cgi?p=logo&signinId=url_35" alt="Logo"></td>
< <td bgcolor="#E3E3E3" align="right"> </td>
<
< </tr>
< </table>
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td bgcolor="#000000" colspan="2"><img border="0" src="/dana-na/auth/url_35/imgs/space.gif" width="1" height="1"><
/td>
< </tr>
< </table>
< <blockquote><form name="frmLogin" action="login.cgi" method="POST" autocomplete="off" onsubmit="return Login(0)">
< <input type="hidden" name="tz_offset">
< <table border="0" cellpadding="2" cellspacing="0">
< <tr>
< <td nowrap colspan="3"><b>Welcome to the</b></td>
< </tr>
< <tr>
< <td nowrap colspan="3"><span class="cssLarge"><b>Pulse Connect Secure</b></span><
/td></tr>
<
< <tr>
< <td colspan="3"> </td>
< </tr>
< <tr>
<
< <td valign="top">
<
< <table border="0" cellspacing="0" cellpadding="2">
<tr>
< <td>username</td>
< <td> </td>
< <td><input type="tex
t" name="username" size="20"></td>
< </tr>
<tr>
< <td>password</td>
< <td> </td>
< <td><input type="pas
sword" name="password" size="20"></td>
< </tr>
<tr> <input type="hidden" name="realm" value
="TDEC-Admin"> </tr> <tr>
< <td colspan="3"> </td>
< </tr>
< <tr>
< <td> </td>
< <td> </td>
< <td><input type="submit" value="Sign In" name="btnSubmit"> </td>
< </tr> </table>
<
< </td>
< <td valign="top"> </td>
< <td valign="top"><table border="0" cellspacing="0" cellpadding="2">
< <tr><td>Please sign in to begin your secure session.<br><br><noscript>Note: Javascript is disabled on your browser.</noscript></tr
></td></table></td>
< </tr>
< </table> </form>
< </blockquote>
<
< <table border="0" cellspacing="0" cellpadding="0" width="100%">
< <tr>
< <td background="/dana-na/auth/url_35/imgs/footerbg.gif">
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="1" height="2"></td>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td>
< </tr>
< <tr valign="top">
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="1"></td>
< <td nowrap ><br><br><br><br>
< <td align="right"><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td
>
< </tr>
< </table>
< </td>
< </tr>
< <tr>
< <td colspan="2"><img border="0" src="/dana-na/auth/url_35/imgs/space.gif" height="6" width="1" alt=""></td>
< </tr>
< </table>
<
< </body>
< </html>
GET https://ENDPOINT_HOST/dana-na/auth/url_35/welcome.cgi?
> GET /dana-na/auth/url_35/welcome.cgi? HTTP/1.1
> Host: ENDPOINT_HOST
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: DSSIGNIN=url_35; DSSignInURL=/tdec-admin; DSSigninNotif=1
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Thu, 10 Dec 2020 16:42:30 GMT
x-frame-options: SAMEORIGIN
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
<
< <html>
< <head>
< <meta http-equiv="Content-Language">
< <meta http-equiv="Content-Type" content="text/html">
< <meta name="robots" content="none">
< <title>Pulse Connect Secure</title>
<
< <script src="/dana-na/css/ds.js"></script>
< <script>
< WriteCSS();
< </script>
< <noscript>
< <link rel="stylesheet" href="/dana-na/css/ds.css">
< </noscript>
<
< <script>
< <!--
< if (window.top != self) {
< top.location = location;
< }
< if(window.name == "newpincancel" || window.name == "nexttokencancel") {
< window.close();
< }
< //--></script>
< <script src="/dana-na/auth/lastauthserverused.js"></script>
< <script>function deletepreauth() {
< document.cookie = "DSPREAUTH="+ escape("")+ ";path=/dana-na/;expires=12-Nov-1996";
< }
< </script>
<
< </head>
<
< <body onload="FinishLoad(0)" bgcolor="#FFFFFF" color="#000000" link="#3366CC" vlink="#CC6699" alink="#3366CC" leftmargin="0" topma
rgin="0" rightmargin="0" marginwidth="0" marginheight="0">
<
< <table border="0" width="100%" cellspacing="0" cellpadding="3">
< <tr>
< <td bgcolor="#E3E3E3"><img border="0" src="welcome.cgi?p=logo&signinId=url_35" alt="Logo"></td>
< <td bgcolor="#E3E3E3" align="right"> </td>
<
< </tr>
< </table>
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td bgcolor="#000000" colspan="2"><img border="0" src="/dana-na/auth/url_35/imgs/space.gif" width="1" height="1"><
/td>
< </tr>
< </table>
< <blockquote><form name="frmLogin" action="login.cgi" method="POST" autocomplete="off" onsubmit="return Login(0)">
< <input type="hidden" name="tz_offset">
< <table border="0" cellpadding="2" cellspacing="0">
< <tr>
< <td nowrap colspan="3"><b>Welcome to the</b></td>
< </tr>
< <tr>
< <td nowrap colspan="3"><span class="cssLarge"><b>Pulse Connect Secure</b></span><
/td></tr>
<
< <tr>
< <td colspan="3"> </td>
< </tr>
< <tr>
<
< <td valign="top">
<
< <table border="0" cellspacing="0" cellpadding="2">
<tr>
< <td>username</td>
< <td> </td>
< <td><input type="tex
t" name="username" size="20"></td>
< </tr>
<tr>
< <td>password</td>
< <td> </td>
< <td><input type="pas
sword" name="password" size="20"></td>
< </tr>
<tr> <input type="hidden" name="realm" value
="TDEC-Admin"> </tr> <tr>
< <td colspan="3"> </td>
< </tr>
< <tr>
< <td> </td>
< <td> </td>
< <td><input type="submit" value="Sign In" name="btnSubmit"> </td>
< </tr> </table>
<
< </td>
< <td valign="top"> </td>
< <td valign="top"><table border="0" cellspacing="0" cellpadding="2">
< <tr><td>Please sign in to begin your secure session.<br><br><noscript>Note: Javascript is disabled on your browser.</noscript></tr
></td></table></td>
< </tr>
< </table> </form>
< </blockquote>
<
< <table border="0" cellspacing="0" cellpadding="0" width="100%">
< <tr>
< <td background="/dana-na/auth/url_35/imgs/footerbg.gif">
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="1" height="2"></td>
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td>
< </tr>
< <tr valign="top">
< <td><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="1"></td>
< <td nowrap ><br><br><br><br>
< <td align="right"><img src="/dana-na/auth/url_35/imgs/space.gif" width="10" height="10"></td
>
< </tr>
< </table>
< </td>
< </tr>
< <tr>
< <td colspan="2"><img border="0" src="/dana-na/auth/url_35/imgs/space.gif" height="6" width="1" alt=""></td>
< </tr>
< </table>
<
< </body>
< </html>
frmLogin
password:
POST https://ENDPOINT_HOST/dana-na/auth/url_35/login.cgi
> POST /dana-na/auth/url_35/login.cgi HTTP/1.1
> Host: ENDPOINT_HOST
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: DSSIGNIN=url_35; DSSignInURL=/tdec-admin; DSSigninNotif=1
> NCP-Version: 3
> X-Pad: 000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 86
>
> tz_offset=&username=ACCT_NAME&password=PASSWORD&realm=ACCT_REALM&btnSubmit=Sign%20In
Got HTTP response: HTTP/1.1 302 Moved
Set-Cookie: id=state_06453cb92c2e8eeeffb29e1ec8da84a8; path=/; secure; HttpOnly
Date: Thu, 10 Dec 2020 16:42:39 GMT
location: /dana-na/auth/url_35/welcome.cgi?p=defender
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
GET https://ENDPOINT_HOST/dana-na/auth/url_35/welcome.cgi?p=defender
> GET /dana-na/auth/url_35/welcome.cgi?p=defender HTTP/1.1
> Host: jvpn.tn.gov
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: DSSIGNIN=url_35; DSSignInURL=/tdec-admin; DSSigninNotif=1; id=state_06453cb92c2e8eeeffb29e1ec8da84a8
> NCP-Version: 3
>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Thu, 10 Dec 2020 16:42:39 GMT
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
<
< <html>
< <head>
< <meta http-equiv="Content-Language">
< <meta http-equiv="Content-Type" content="text/html">
< <title>Sign-In</title>
<
< <script src="/dana-na/css/ds.js"></script>
< <script>
< WriteCSS();
< </script>
< <noscript>
< <link rel="stylesheet" href="/dana-na/css/ds.css">
< </noscript>
<
< <script>
< <!--
<
< if (window.top != self) {
< top.location = location;
< }
<
< function FinishLoad() {
< document.frmDefender.password.focus();
< }
< function submitFrmCasque() {
<
< document.frmCasque.action = "/dana-na/download/x.casque?url=/dana-na/auth/welcome.cgi";
< document.frmCasque.submit();
< }
<
< //--></script>
<
< </head>
<
< <body bgcolor="#FFFFFF" color="#000000" link="#3366CC" vlink="#CC6699" alink="#3366CC" leftmargin="0" topmargin="0" rightmargin="0
" marginwidth="0" marginheight="0" onload="FinishLoad();">
<
< <table border="0" width="100%" cellspacing="0" cellpadding="3">
< <tr>
< <td bgcolor="#E3E3E3"><img border="0" src="welcome.cgi?p=logo" alt="Logo"></td>
< <td bgcolor="#E3E3E3" align="right"> </td>
< </tr>
< </table>
< <table cellpadding="0" cellspacing="0" border="0" width="100%">
< <tr>
< <td bgcolor="#000000" colspan="2"><img border="0" src="/dana-na/imgs/space.gif" width="1" height="1"></td>
< </tr>
< </table>
<
<
< <table border="0" cellspacing="0" cellpadding="2">
< <tr>
< <td nowrap ><b>Welcome to the</b></td>
< </tr>
< <tr>
< <td nowrap ><span class="cssLarge"><b>Pulse Connect Secure</b></span></td>
< </tr>
< <tr>
< <td> </td>
< <td> </td>
< </tr>
< <tr>
< <td valign="top">
< <table border="0" cellspacing="0" width="100%" bgcolor="#CCCC99">
< <tr>
< <td>
< <table border="0" cellspacing="0" cellpadding="0">
< <tr>
< <td> </td>
< <td><b>Challenge / Response</b></td>
< </tr>
< </table>
< </td>
< </tr>
< <tr>
< <td>
< <table border="0" cellpadding="6" cellspacing="0" width="100%" bgcolor="#FFF
FCC">
< <tr>
< <td>
Challenge: Enter a response to the grid challenge [H4] [H5] [I3] using a card with serial number 52520.
<p class="cssSmall">Enter the challenge string above into your token, and then enter the one-time response i
n the field below.</p><form name="frmDefender" action="login.cgi" method="POST" autocomplete="off">
< <input type="hidden" name="username" value="ACCT_NAME">
< <input type="hidden" name="key" value="state_06453cb92c2e8eeeffb29e1ec8da84a8">
< <table border="0" cellspacing="0" cellpadding="2">
< <tr>
< <td>Response:</td>
< <td><input type="password" name="pas
sword" size="20"></td>
< </tr>
< <tr>
< <td colspan="2"> </td>
< </tr>
< <tr>
< <td> </td>
< <td>
< <input type="submit" value=" Sign In " name="btnAction" onclick="return (doc
ument.frmDefender.password.value != '');">
< <input type="submit" value="Cancel" name="secidactionCancel">
< </td>
< </tr>
< </table>
< </form>
< </td>
< </tr>
< </table>
< </td>
< </tr>
< </table>
< </td>
< <td valign="top"> </td>
< </tr>
< </table>
<
< </body>
<
< </html>
Ignoring unknown form submit item 'secidactionCancel'
frmDefender
password:
POST https://ENDPOINT_HOST/dana-na/auth/url_35/login.cgi
> POST /dana-na/auth/url_35/login.cgi HTTP/1.1
> Host: jvpn.tn.gov
> User-Agent: Open AnyConnect VPN Agent v8.05-1
> Cookie: DSSIGNIN=url_35; DSSignInURL=/tdec-admin; DSSigninNotif=1; id=state_06453cb92c2e8eeeffb29e1ec8da84a8
> NCP-Version: 3
> X-Pad: 00000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 105
>
> username=ACCT_NAME&key=state_06453cb92c2e8eeeffb29e1ec8da84a8&password=qe6&btnAction=%20%20Sign%20In%20%20
Failed to read from SSL socket: The TLS connection was non-properly terminated.
Error fetching HTTPS response
Failed to obtain WebVPN cookie
In this case the grid code is "qe6", if I enter an incorrect grid card response it prompts me again for the correct response. My entry is making it to the VPN and it appears to be validating that response. However, after validation a connection to the VPN is not created.
Notes on the Grid Card
The grid card required by my Pulse Secure endpoint is similar to the one described in the smxlogin project but different in a couple significant regards. First, the grid card isn't provided through the Pulse Connect application UI or on the VPN endpoint's website. Instead it is provided along with the account name and password as an image. Mine came in an email message, it looks like this:
Card Grid
User Name USER_NAME
Group VPN_REALM_NAME
Serial Number 99999
State Current
A B C D E F G H I J
1 Q F O 3 3 2 L M E O
Grid 2 1 M W C 8 2 8 J X Z
3 B I 4 7 8 D F G 3 C
4 Y U 8 2 4 N C X 4 7
5 M G P 5 1 3 U F H A
Since the grid card isn't provided by a URL, I think more information would need to be provided to smxlogin
so that it could generate the matching grid. It's possible that the "serial number" on the card may be enough to re-create the matching grid, but that's just me guessing.