Fails to connecto to Pulse/Juniper using SSO
I need to connect to a Pulse Secure VPN which authenticates to Microsoft SSO. I can connect successfully using openconnect-pulse-gui (https://github.com/utknoxville/openconnect-pulse-gui): this tools pops up a window in which I authenticate to Microsoft, then gives me the command I need to run: openconnect --protocol nc -C DSID=foobar vpn.example.org
I would like to do this with networkmanager-openconnect 1.2.10. I tried the Juniper Network Connect protocol in NM, as that is what openconnect-pulse-gui is using, but it fails with this log:
GET https://vpn.example.org/
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Found
Location: /dana-na/auth/blabla/welcome.cgi
Content-Type: text/html; charset=utf-8
Set-Cookie: DSSIGNIN=url_blabla; path=/dana-na/; expires=Thu, 31-Dec-2037 00:00:00 GMT; secure
Set-Cookie: DSIVS=; path=/; expires=Thu, 01 Jan 1970 22:00:00 GMT; secure
Set-Cookie: DSSignInURL=/; path=/; secure
Set-Cookie: SUPPORTCHROMEOS=1; path=/; secure
Connection: close
Content-Length: 0
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body length: (0)
GET https://vpn.example.org/dana-na/auth/url_blabla/welcome.cgi
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 302 Moved
Date: Sat, 17 Jun 2023 14:01:14 GMT
location: /dana-na/auth/url_blabla/login.cgi?realm=AAD
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
GET https://vpn.example.org/dana-na/auth/url_blabla/login.cgi?realm=AAD
Got HTTP response: HTTP/1.1 302 Moved
location: https://login.microsoftonline.com/blabla
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Cache-Control: no-store
Expires: -1
Transfer-Encoding: chunked
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
GET https://login.microsoftonline.com/blabla
Attempting to connect to server [2603:1026:3000:118::2]:443
Connected to [2603:1026:3000:118::2]:443
SSL negotiation with login.microsoftonline.com
Connected to HTTPS on login.microsoftonline.com with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Link: <https://aadcdn.msftauth.net>; rel=preconnect; crossorigin
Link: <https://aadcdn.msftauth.net>; rel=dns-prefetch
Link: <https://aadcdn.msauth.net>; rel=dns-prefetch
X-DNS-Prefetch-Control: on
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
x-ms-request-id: 746f8f69-4250-4ed3-97ea-6787fcb93000
x-ms-ests-server: 2.1.15620.8 - NEULR1 ProdSlices
X-XSS-Protection: 0
Set-Cookie: buid=blabla; expires=Mon, 17-Jul-2023 14:01:15 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: esctx=blabla; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: fpc=blabla; expires=Mon, 17-Jul-2023 14:01:15 GMT; path=/; secure; HttpOnly; SameSite=None
Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
Date: Sat, 17 Jun 2023 14:01:14 GMT
Content-Length: 34906
HTTP body length: (34906)
Failed to find or parse web form in login page
Selecting the pulse protocol, it also fails, but this time with message:
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
SSL negotiation with vpn.example.org
Connected to HTTPS on vpn.example.org with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 101 Switching Protocols
Content-type: application/octet-stream
Pragma: no-cache
Upgrade: IF-T/TLS 1.0
Connection: Upgrade
X-XSS-Protection: 1
Strict-Transport-Security: max-age=31536000
> 0000: 00 00 55 97 00 00 00 01 00 00 00 14 00 00 00 00 |..U.............|
> 0010: 00 01 02 02 |....|
> 0000: 00 00 0a 4c 00 00 00 88 00 00 00 41 00 00 00 01 |...L.......A....|
> 0010: 63 6c 69 65 6e 74 48 6f 73 74 4e 61 6d 65 3d 6c |clientHostName=l|
> 0020: 6f 63 61 6c 68 6f 73 74 20 63 6c 69 65 6e 74 49 |ocalhost clientI|
> 0030: 70 3d 31 39 32 2e 31 36 38 2e 35 2e 31 33 36 0a |p=192.168.5.136.|
> 0040: 00 |.|
> 0000: 00 00 55 97 00 00 00 06 00 00 00 22 00 00 00 02 |..U........"....|
> 0010: 00 0a 4c 01 02 01 00 0e 01 61 6e 6f 6e 79 6d 6f |..L......anonymo|
> 0020: 75 73 |us|
> 0000: 00 00 55 97 00 00 00 06 00 00 00 78 00 00 00 03 |..U........x....|
> 0010: 00 0a 4c 01 02 02 00 64 fe 00 0a 4c 00 00 00 01 |..L....d...L....|
> 0020: 00 00 0d 70 80 00 00 55 00 00 05 83 50 75 6c 73 |...p...U....Puls|
> 0030: 65 2d 53 65 63 75 72 65 2f 32 32 2e 32 2e 31 2e |e-Secure/22.2.1.|
> 0040: 31 32 39 35 20 28 4f 70 65 6e 43 6f 6e 6e 65 63 |1295 (OpenConnec|
> 0050: 74 20 56 50 4e 20 41 67 65 6e 74 20 28 4e 65 74 |t VPN Agent (Net|
> 0060: 77 6f 72 6b 4d 61 6e 61 67 65 72 29 20 76 39 2e |workManager) v9.|
> 0070: 31 32 2d 31 29 00 00 00 |12-1)...|
Authentication failure: Code 0x00
I'm using network-manager-openconnect 1.2.10 from Debian sid