OpenConnect doesn't ask for code on GlobalProtect with 2FA
When trying to connect to a GP server that has 2FA it fails with:
Response was: <challenge>
<user>[user]</user>
<inputstr>[random string]</inputstr>
<respmsg>Please enroll at https://api-xxx.duosecurity.com/frame/portal/v4/xxx</respmsg>
</challenge>
This VPN has SSO from Microsoft and when I access the endpoint via browser it sends a push notification to MFA. The previous error occurs after user and password have been correctly set via the interactive form. I'd expect this "challenge" block to become interactive to input the OTP code but it just exits with code 1.
The command I've been using is echo "[password]" | openconnect --protocol=gp --passwd-on-stdin vpn.server.xyz --user=[user] --dump -vvv
. If doing it interactive same issue arises. Exact same issue also happens if I try doing it through NetworkManager.
I guess I could make that input interactive with the "--form-entry" option but I was not able to figure out how. I will paste the redacted full log next:
POST https://vpn.server.xyz/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server [IP]:443
Connected to [IP]:443
SSL negotiation with vpn.server.xyz
Connected to HTTPS on vpn.server.xyz with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-256-GCM)
> POST /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: vpn.server.xyz
> User-Agent: PAN GlobalProtect
>
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 09 Jul 2022 20:28:56 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 473
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; path=/; secure; httponly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (473)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Success</status>
< <ccusername></ccusername>
< <autosubmit>false</autosubmit>
< <msg></msg>
< <newmsg></newmsg>
< <authentication-message>Enter login credentials</authentication-message>
< <username-label>Username</username-label>
< <password-label>Password</password-label>
< <panos-version>1</panos-version>
< <saml-default-browser>yes</saml-default-browser><auth-api>no</auth-api><region>CO</region>
< </prelogin-response>
Prelogin form _login: "Username: " user(TEXT)=(null), "Password: " passwd(PASSWORD)
Enter login credentials
POST https://vpn.server.xyz/global-protect/getconfig.esp
> POST /global-protect/getconfig.esp HTTP/1.1
> Host: vpn.server.xyz
> User-Agent: PAN GlobalProtect
> Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea
> X-Pad: 000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 220
>
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&internal=no&ipv6-support=yes&clientos=Linux&os-version=linux-64&server=vpn.server.xyz&computer=fedora&user=[user]&passwd=[password]
Got HTTP response: HTTP/1.1 200 OK
Date: Sat, 09 Jul 2022 20:28:58 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 254
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
X-FRAME-OPTIONS: DENY
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Set-Cookie: PHPSESSID=47c7cc0d5146c8303ded56a7ffcdd9ea; secure; HttpOnly
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length: (254)
< <challenge>
< <user>[user]</user>
< <inputstr>[random string]</inputstr>
< <respmsg>Please enroll at Please enroll at https://api-xxx.duosecurity.com/frame/portal/v4/xxx</respmsg>
< </challenge>
Failed to parse server response
Response was: <challenge>
<user>[user]</user>
<inputstr>[random string]</inputstr>
<respmsg>Please enroll at Please enroll at https://api-xxx.duosecurity.com/frame/portal/v4/xxx</respmsg>
</challenge>
Failed to complete authentication
OS: Fedora 36 OpenConnect v9.01