CAS is not supported by the client. Minimum client version is 6.0

Hi,

I am trying to configure openconnect to work with GlobalProtect (SAML Auth).

I am facing this error CAS is not supported by the client. Minimum client version is 6.0

I am running debian 12 and openconnect is in 9.01-3.

It seems that minimum client version block ...

I don't know how to fix this.

Is somebody have any idea ?

Thanks

added protocolGlobalProtect label

I have no reason to believe it will help, but it would be great if you could try latest version 9.12.

Also not sure what "CAS" is. Any clue? Client Access Server?

Hi

After looking at the log using the GlobalProtect client it seems to be a username-type <username-type>cas</username-type>

I hope it helps...

It does help:

• From the CAS home page:

  CAS is an open and well-documented authentication protocol. The primary implementation of the protocol is an open-source Java server component by the same name hosted here, with support for a plethora of additional authentication protocols and features.

• It appears to be often used with Cisco Duo. See for example Duo for Central Authentication Server (CAS).

I guess it falls in the category of web browser (SSO) single sign-on, which has been widely discussed in past posts:

• It can be a challenge to automate the interaction with a server designed for web browsers, with potentially complex and unexpected web page contents, sometimes generated by JavaScript.
• Direct user interaction from a command-line based client such as OpenConnect is obviously difficult. The maintainers have been unable to identify a recent and maintained library implementing a text based browser that could be used to interact with such pages without the need for a GUI.

I am afraid I cannot be more helpful here, others may know better. Look through other GlobalProtect issues for ideas. The solution might be as simple as using option --useragent to convince the server that the current client is able to handle the authentication process, or as complex as using some external script (such as gp-saml-gui for SAML) that launches a web browser to handle the authentication and retrieve a session cookie, then feed the cookie to OpenConnect using the --cookie option.

OK thanks, so far to my testing with gp-saml-gui it ends always withe the same error message.

So my guess is that it's just not supported.

Thanks

A verbose (and consistently redacted if needed) log might help implement the missing functionality (-v -v -v --dump-http-traffic).

After looking at the log using the GlobalProtect client it seems to be a username-type <username-type>cas</username-type>

I don't understand what this means, or the context.

See gp-saml-gui #77 for a recent example of how to generate useful additional logging information while using gp-saml-gui + openconnect.

I will have a look tomorrow to provide detailed logging

@menardorama any chance your vpn is using Cloud Authentication Service from Palo Alto? https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/saml-authentication-through-cloud-authentication-service

added External Auth/SAML/SSO label

added Needs info label

Hi,

Here is the debug ouput of openconnect

POST https://gp.example.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Attempting to connect to server 192.168.1.1:443
Connected to 192.168.1.1:443
Négociation SSL avec gp.example.com
Connected to HTTPS on gp.example.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> POST /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: gp.example.com
> User-Agent: PAN GlobalProtect
> 
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 08 Sep 2023 05:53:53 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 538
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESSID=3cda0a56-498b-4b26-8034-7c4a8827e6d6; Path=/; HttpOnly; Secure
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';
HTTP body length:  (538)
< <?xml version="1.0" encoding="UTF-8" ?>
< <prelogin-response>
< <status>Error</status>
< <ccusername></ccusername>
< <autosubmit>false</autosubmit>
< <msg>CAS is not supported by the client. Minimum client version is 6.0</msg>
< <newmsg></newmsg>
< <authentication-message>Enter login credentials</authentication-message>
< <username-label>Username</username-label>
< <password-label>Password</password-label>
< <panos-version>1</panos-version>
< <saml-default-browser>yes</saml-default-browser>
< 
< <auth-api>no</auth-api><region>FR</region>
< </prelogin-response>
CAS is not supported by the client. Minimum client version is 6.0
Failed to complete authentication

Now looking using gp-saml-gui

I see in the code that clientVer is hardcoded to version 4100, it does not seem to be configurable ?

Do not change that value. It appears to be "fossilized"; it is the same for all client software versions.

The value that you probably want to change is this one…

index 37235c1f..ddaef6c4 100644
--- a/gpst.c
+++ b/gpst.c
@@ -644,7 +644,7 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
 
        /* submit getconfig request */
        buf_append(request_body, "client-type=1&protocol-version=p1&internal=no");
-       append_opt(request_body, "app-version", vpninfo->csd_ticket ? : "5.1.5-8");
+       append_opt(request_body, "app-version", vpninfo->csd_ticket ? : "6.1.2-82");
        append_opt(request_body, "ipv6-support", vpninfo->disable_ipv6 ? "no" : "yes");
        append_opt(request_body, "clientos", gpst_os_name(vpninfo));
        append_opt(request_body, "os-version", vpninfo->platname);

However, the surprising thing about your server is that it seems to want to know the client software version earlier in the authentication flow. It wants to know the client software version as part of the /global-protect/prelogin.esp request. Proprietary clients which I've MITM'ed don't send this: https://github.com/dlenski/openconnect/blob/master/PAN_GlobalProtect_protocol_doc.md#pre-login-request

Maybe those MR are related to my issue ?

!103 !131 (merged)

Maybe those MR are related to my issue ? !131 (merged)

Quite likely, yes.

Tried to bump the version number to 6000 and recompile without success.

I've configure the GlobalProtect client in dump mode and see this request:

Command = 
<request>
    <type>portal</type>
    <portal>vpn.example.com</portal>
    <pid>2343</pid>
    <user>myuser@example.com</user>
    <passwd>*</passwd>
    <path>/home/myuser/.GlobalProtect</path>
    <checkupdate>no</checkupdate>
    <allow-cached-portal>yes</allow-cached-portal>
    <remember-me>yes</remember-me>
    <retrieve-cache-only>no</retrieve-cache-only>
    <manual-select-gateway-ip></manual-select-gateway-ip>
    <portal-certificate-verification>yes</portal-certificate-verification>
    <win-user>myuser</win-user>
    <user-profile-type>0</user-profile-type>
    <preferred-gateway></preferred-gateway>
    <preferred-gateway-address></preferred-gateway-address>
    <saved-user>myuser@example.com</saved-user>
    <saved-passwd></saved-passwd>
    <portal-2fa>no</portal-2fa>
    <token>--redacted token--</token>
    <cas-username>myuser@example.com</cas-username>
    <cas-auth-status>1</cas-auth-status>
    <saml-auth-error></saml-auth-error>
    <use-ssl-tunnel>no</use-ssl-tunnel>
    <gid>1000</gid>
    <uid>1000</uid>
    <domain></domain>
    <default-browser>4</default-browser>
</request>

Reply

<?xml version="1.0" encoding="UTF-8"?>
<response>
	<type>status</type>
	<status>Disconnected</status>
	<protocol/>
	<portal-config-version>0</portal-config-version>
	<error-must-show/>
	<error-must-show-level>error</error-must-show-level>
	<error/>
	<product-version>6.1.2-82</product-version>
	<product-code/>
	<portal-status>User authentication failed</portal-status>
	<user-name>myuser@example.com</user-name>
	<username-type>cas</username-type>
	<state>Retrieving configuration...</state>
	<check-version>no</check-version>
	<portal>myuser@example.com</portal>
	<discover-ready>no</discover-ready>
	<mdm-is-enabled>no</mdm-is-enabled>
	<gateway-list>gateway-list</gateway-list>
	<mobile-network-type>0</mobile-network-type>
	<cdl-log>no</cdl-log>
</response>

I hope it helps....

It might be time to bump the emulated version number from 5.1.5-8 to something more recent, such as 6.1.2-82. Does it get you further, that is, is the error message different?

I've configure the GlobalProtect client in dump mode and see this request:

Do you mean the proprietary GlobalProtect client?

It might be time to bump the emulated version number from 5.1.5-8 to something more recent, such as 6.1.2-82. Does it get you further, that is, is the error message different?

As of !333 (merged), we will simply parrot back whatever software version number the portal thinks is the latest and greatest.

… but yes, we probably should also bump the fallback version number that we use in case of a direct connection to the gateway, in which case OpenConnect won't learn the version number to parrot. 🦜

Can I test this theory by running tests/fake-gp-server.py with a different default (e.g. from master), or is it more complicated than that?

Can I test this theory by running tests/fake-gp-server.py with a different default (e.g. from master)

I don't understand what you're proposing here.

The fake GP server does not care what emulated version number you send to it. You can send it Help.I.Am.Trapped.In.A.VPN.Factory as your app-version, and it won't care.

You need to modify the client and test it with your real server. Quite likely the change you need is b22782f5 in, also described above in #651 (comment 1573448681).

mentioned in merge request !493 (merged)

I also get this error with gp-saml-gui and openconnect 9.12 trying to connect to GlobalProtect cloud service with Cloud Authentication Service where Cloud Identity Engine serves as proxy for AzureAD (sorry for the buzzword dump, I'm only relaying what I was told :P).

I'd like to avoid installing the proprietary client to post a dump as above, but I'm happy to share more detailed information in private if someone tells me what to test. :)

Either @nemobis or @menardorama can probably figure this out very quickly.

Just take the current prelogin request URL…

> POST /global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux HTTP/1.1
> Host: gp.example.com
> User-Agent: PAN GlobalProtect 
…
CAS is not supported by the client. Minimum client version is 6.0

And try this with curl:

curl -kvL -X POST -A 'PAN GlobalProtect' 'https://$SERVER/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows'

You should get the same error.

Try adding various parameters to the end of the URL (appVersion=6.1.2-82? app-version=6.1.2-82? appversion=6.1.2-82? etc.)

Keep trying more stuff like that. If any of them cause you not to get the error, then great!

I'm happy to share more detailed information in private if someone tells me what to test.

Email the server URL to me at the address on my profile.

From this page: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/saml-authentication-through-cloud-authentication-service it also mentioned

You must use the default system browser with this feature; the embedded browser is not supported

The official GlobalProtect client is sending a new parameter in the body of the request: cas-support=yes. If you send this you won't get the error CAS is not supported by the client. Minimum client version is 6.0 anymore. The clientVer string is unchanged; it's still 4100.

Here's an example curl request:

curl -X POST \
-d 'cas-support=yes' \
-H 'Connection: Keep-Alive' \
-H 'User-Agent: PAN GlobalProtect' \
 'https://<your-gateway>.gw.gpcloudservice.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows'

Thanks! Can all of you affected by this please test 50428ca0 and let us know if it resolves the problem?

@mathias-nyman-relex @leduc1296 @nemobis @menardorama

@nemobis, should I take that to mean "yes"?

It works for me, at least it doesn't give me the CAS is not supported by the client. Minimum client version is 6.0 error anymore. Now I have the error Failed to complete authentication.

Wow, thanks @dlenski for the quick patch. That takes care of the prelogin but the login seems a bit different with this CAS auth method. We don't get a prelogin cookie or userauth cookie anymore. Instead we get a JWT. I'll see if I can figure it out..

Also, I'm not sure CAS here refers to what you found (https://apereo.github.io/cas/6.6.x/index.html), or if it's just a coincidence that Palo Alto picked the same name and abbreviation for their feature they refer to as CAS: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/saml-authentication-through-cloud-authentication-service

That takes care of the prelogin but the login seems a bit different with this CAS auth method.

Somewhat unsurprising, sadly.

We don't get a prelogin cookie or userauth cookie anymore. Instead we get a JWT. I'll see if I can figure it out..

Interesting. Can at least one of you post an anonymized log of openconnect --dump-http-traffic -vvvv? Or email to the address on my profile if you aren't comfortable sharing it publicly? (I won't share it publicly; will just use it to give you advice on how to proceed, or to inform the implementation in OpenConnect if it's obvious how to proceed.)

I can probably make some educated guesses based on that.

Also, I'm not sure CAS here refers to what you found (https://apereo.github.io/cas/6.6.x/index.html), or if it's just a coincidence that Palo Alto picked the same name and abbreviation for their feature they refer to as CAS: https://docs.paloaltonetworks.com/globalprotect/6-0/globalprotect-app-new-features/new-features-released-in-gp-app/saml-authentication-through-cloud-authentication-service

Thanks. Clashing/inconsistent naming in proprietary VPN clients would also be sadly unsurprising

Although just based on a quick search, it appears that JWT is one of the pluggable options for the non-GP-specific CAS, so maybe they are using a standard-ish authentication method with its standard name?

I do have a test server featuring cas support and after finding out that i need to set cas-support, i found this ticket :) Will have a look at the JWT and try to add it.

Ok, i do have a working version. Will prepare a MR, but this depends on my external browser MR (!499). According to Palo Alto this is a requirement for CAS, didn't test internal webview.

mentioned in commit 0727a48c

mentioned in commit e5592b05

mentioned in commit 8f6186f1

mentioned in commit 50428ca0

removed Needs info label

mentioned in merge request !497 (merged)

mentioned in commit jbrummer_vw/openconnect@585ee9d0

mentioned in merge request !503 (closed)