Difference between revisions of "Accessing the Off-Campus VPN"

From RHLUG Wiki
Jump to navigation Jump to search
Line 1: Line 1:
= Connecting to GlobalProtect =
= Connecting to GlobalProtect =
== Using openconnect ==
Due to 2-factor authentication, you may need to use some special steps to use openconnect. This is currently being tested.
 
The other approach is to use the GlobalProtect GUI, which is officially supported by Rose-Hulman and will work for the time being.
 
== Using the GlobalProtect GUI ==
 
In a web browser, go to https://rose-hulman.microsoftcrmportals.com/knowledgebase/article/KA-01278/en-us.
 
Press Ctrl+F and type in "Setting up the client on Linux".
 
Read and follow the instructions below "Setting up the client on Linux". You can follow these instructions in a VM if you want to isolate the GUI client from your host system.
 
You will need to download the Word document which opens fine in LibreOffice Writer or the OnlyOffice Desktop Editors.
 
== Using openconnect (WIP) ==
Due to 2-factor authentication on the VPN, this tutorial will not work with the current configuration, but it is currently being experimented with.
 
Install <code>openconnect-sso</code> using the following commands in a terminal:
 
'''Ubuntu/Debian/Other Linux Distros''': follow the instructions in this section: https://github.com/vlaci/openconnect-sso#using-pippipx
 
'''Arch Linux''':<code>sudo pacman -S yay && yay -S openconnect-sso</code> (This will install yay, which installs packages from the AUR, and openconnect-sso, which allows you to use 2-factor authentication to connect to the VPN.)
 
Then, connect to the VPN using the following command, replacing yournetworkusername with your Rose-Hulman network username (for security reasons, '''do NOT run this command as root, e.g. using sudo'''):
openconnect-sso --server gp.rose-hulman.edu --user [email protected]
Then type in your password and press ENTER.
 
'''NOTE: As of 6/26/21, this is when the VPN won't connect.''' If you want more information to try to help us out, see the "openconnect debugging" section at the bottom of this page.
 
You should see a message if it connects successfully.
 
Sources: https://github.com/dlenski/openconnect/issues/143, https://github.com/vlaci/openconnect-sso
 
Active issues: https://github.com/dlenski/openconnect/issues/143, https://gitlab.com/openconnect/openconnect/-/issues/84
 
= Historical information on using openconnect for GlobalProtect =
Open a terminal, and type:
Open a terminal, and type:


Line 16: Line 51:
Alternatively, if you prefer the command line, type <code>ping mirror.csse.rose-hulman.edu</code> and see if there is a response from the server - if you are connected, it should say <code>PING from (ip address): 20ms or similar</code>.
Alternatively, if you prefer the command line, type <code>ping mirror.csse.rose-hulman.edu</code> and see if there is a response from the server - if you are connected, it should say <code>PING from (ip address): 20ms or similar</code>.


To disconnect, press the Control and C keys at the same time in the terminal. Wait until you see your normal shell prompt such as:
To disconnect, press the Control and C keys at the same time in the terminal.
<code>username@hostname:directory$</code> (source: https://www.howtogeek.com/307701/how-to-customize-and-colorize-your-bash-prompt/).
 
Wait until you see your normal shell prompt such as:<blockquote><code>username@hostname:directory$</code>
 
(source: https://www.howtogeek.com/307701/how-to-customize-and-colorize-your-bash-prompt/).</blockquote>'''EDIT 6/26/21''': This currently errors out with this message, and logging in via that URL will not work (it redirects to a success page that doesn't do anything):<blockquote>SSL negotiation with gp.rose-hulman.edu
 
Connected to HTTPS on gp.rose-hulman.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-256-GCM)


== Using the GlobalProtect GUI ==
SAML REDIRECT authentication is required via (long url)


In a web browser, go to [https://rose-hulman.microsoftcrmportals.com/knowledgebase/article/KA-01278/en-us https://rose-hulman.microsoftcrmportals.com/knowledgebase/article/KA-01278/en-us].
When SAML authentication is complete, specify destination form field by appending :field_name to login URL.  


Press Ctrl+F and type in "Setting up the client on Linux".
Failed to parse server response


Read and follow the instructions below "Setting up the client on Linux". You will need to download the Word document which opens fine in LibreOffice Writer or the OnlyOffice Desktop Editors.
Failed to obtain WebVPN cookie</blockquote>


= Historical information on Juniper/PulseSecure =
= Historical information on Juniper/PulseSecure =
Line 52: Line 92:
To disconnect, press the Control and C keys at the same time in the terminal. Wait until you see your normal shell prompt such as:
To disconnect, press the Control and C keys at the same time in the terminal. Wait until you see your normal shell prompt such as:
<code>username@hostname:directory$</code> (source: https://www.howtogeek.com/307701/how-to-customize-and-colorize-your-bash-prompt/).
<code>username@hostname:directory$</code> (source: https://www.howtogeek.com/307701/how-to-customize-and-colorize-your-bash-prompt/).
= openconnect debugging =
[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=gp.rose-hulman.edu name=
Traceback (most recent call last):
 File "/usr/bin/openconnect-sso", line 33, in <module>
   sys.exit(load_entry_point('openconnect-sso==0.7.3', 'console_scripts', 'openconnect-sso')())
 File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main
   return app.run(args)
 File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run
   auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(
 File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete
   return future.result()
 File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 139, in _run
   auth_response = await authenticate_to(
 File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 22, in authenticate
   response = self._start_authentication()
 File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 67, in _start_authentication
   return parse_response(response)
 File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 137, in parse_response
   xml = objectify.fromstring(resp.content)
 File "src/lxml/objectify.pyx", line 1808, in lxml.objectify.fromstring
 File "src/lxml/etree.pyx", line 3237, in lxml.etree.fromstring
 File "src/lxml/parser.pxi", line 1896, in lxml.etree._parseMemoryDocument
 File "src/lxml/parser.pxi", line 1784, in lxml.etree._parseDoc
 File "src/lxml/parser.pxi", line 1141, in lxml.etree._BaseParser._parseDoc
 File "src/lxml/parser.pxi", line 615, in lxml.etree._ParserContext._handleParseResultDoc
 File "src/lxml/parser.pxi", line 725, in lxml.etree._handleParseResult
 File "src/lxml/parser.pxi", line 654, in lxml.etree._raiseParseError
 File "<string>", line 1
lxml.etree.XMLSyntaxError: Start tag expected, '<' not found, line 1, column 1

Revision as of 19:49, 26 June 2021

Connecting to GlobalProtect

Due to 2-factor authentication, you may need to use some special steps to use openconnect. This is currently being tested.

The other approach is to use the GlobalProtect GUI, which is officially supported by Rose-Hulman and will work for the time being.

Using the GlobalProtect GUI

In a web browser, go to https://rose-hulman.microsoftcrmportals.com/knowledgebase/article/KA-01278/en-us.

Press Ctrl+F and type in "Setting up the client on Linux".

Read and follow the instructions below "Setting up the client on Linux". You can follow these instructions in a VM if you want to isolate the GUI client from your host system.

You will need to download the Word document which opens fine in LibreOffice Writer or the OnlyOffice Desktop Editors.

Using openconnect (WIP)

Due to 2-factor authentication on the VPN, this tutorial will not work with the current configuration, but it is currently being experimented with.

Install openconnect-sso using the following commands in a terminal:

Ubuntu/Debian/Other Linux Distros: follow the instructions in this section: https://github.com/vlaci/openconnect-sso#using-pippipx

Arch Linux:sudo pacman -S yay && yay -S openconnect-sso (This will install yay, which installs packages from the AUR, and openconnect-sso, which allows you to use 2-factor authentication to connect to the VPN.)

Then, connect to the VPN using the following command, replacing yournetworkusername with your Rose-Hulman network username (for security reasons, do NOT run this command as root, e.g. using sudo):

openconnect-sso --server gp.rose-hulman.edu --user [email protected]

Then type in your password and press ENTER.

NOTE: As of 6/26/21, this is when the VPN won't connect. If you want more information to try to help us out, see the "openconnect debugging" section at the bottom of this page.

You should see a message if it connects successfully.

Sources: https://github.com/dlenski/openconnect/issues/143, https://github.com/vlaci/openconnect-sso

Active issues: https://github.com/dlenski/openconnect/issues/143, https://gitlab.com/openconnect/openconnect/-/issues/84

Historical information on using openconnect for GlobalProtect

Open a terminal, and type:

sudo openconnect --protocol=gp gp.rose-hulman.edu

When the following appears:

RHIT EMAIL ADDRESS:

type in your Rose-Hulman email address and press ENTER.

Right after this, type in your network password, then press ENTER.

Now, try going to mirror.csse.rose-hulman.edu in a web browser. If you see something there, you are connected. If you get a server error or something similar, you are not.

Alternatively, if you prefer the command line, type ping mirror.csse.rose-hulman.edu and see if there is a response from the server - if you are connected, it should say PING from (ip address): 20ms or similar.

To disconnect, press the Control and C keys at the same time in the terminal.

Wait until you see your normal shell prompt such as:

username@hostname:directory$ (source: https://www.howtogeek.com/307701/how-to-customize-and-colorize-your-bash-prompt/).

EDIT 6/26/21: This currently errors out with this message, and logging in via that URL will not work (it redirects to a success page that doesn't do anything):

SSL negotiation with gp.rose-hulman.edu

Connected to HTTPS on gp.rose-hulman.edu with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA256)-(AES-256-GCM)

SAML REDIRECT authentication is required via (long url)

When SAML authentication is complete, specify destination form field by appending :field_name to login URL.

Failed to parse server response

Failed to obtain WebVPN cookie

Historical information on Juniper/PulseSecure

Adapted from EIT's documentation: https://servicedesk.rose-hulman.edu/knowledgebase/article/KA-01093/en-us

Open a terminal, and type:

sudo openconnect --juniper sslvpn.rose-hulman.edu

When the following appears:

frmLogin
realm [Users|DeltaV|Vendors]:

type in Users and press ENTER.

Then, when this appears:

frmLogin
username:

Type in your Rose-Hulman network username, press ENTER.

Right after this, type in your network password, then press ENTER.

Now, when ESP session established with server appears in the terminal, you are connected.

To disconnect, press the Control and C keys at the same time in the terminal. Wait until you see your normal shell prompt such as: username@hostname:directory$ (source: https://www.howtogeek.com/307701/how-to-customize-and-colorize-your-bash-prompt/).

openconnect debugging

[info     ] Authenticating to VPN endpoint [openconnect_sso.app] address=gp.rose-hulman.edu name=

Traceback (most recent call last):

 File "/usr/bin/openconnect-sso", line 33, in <module>

   sys.exit(load_entry_point('openconnect-sso==0.7.3', 'console_scripts', 'openconnect-sso')())

 File "/usr/lib/python3.9/site-packages/openconnect_sso/cli.py", line 169, in main

   return app.run(args)

 File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 34, in run

   auth_response, selected_profile = asyncio.get_event_loop().run_until_complete(

 File "/usr/lib/python3.9/asyncio/base_events.py", line 642, in run_until_complete

   return future.result()

 File "/usr/lib/python3.9/site-packages/openconnect_sso/app.py", line 139, in _run

   auth_response = await authenticate_to(

 File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 22, in authenticate

   response = self._start_authentication()

 File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 67, in _start_authentication

   return parse_response(response)

 File "/usr/lib/python3.9/site-packages/openconnect_sso/authenticator.py", line 137, in parse_response

   xml = objectify.fromstring(resp.content)

 File "src/lxml/objectify.pyx", line 1808, in lxml.objectify.fromstring

 File "src/lxml/etree.pyx", line 3237, in lxml.etree.fromstring

 File "src/lxml/parser.pxi", line 1896, in lxml.etree._parseMemoryDocument

 File "src/lxml/parser.pxi", line 1784, in lxml.etree._parseDoc

 File "src/lxml/parser.pxi", line 1141, in lxml.etree._BaseParser._parseDoc

 File "src/lxml/parser.pxi", line 615, in lxml.etree._ParserContext._handleParseResultDoc

 File "src/lxml/parser.pxi", line 725, in lxml.etree._handleParseResult

 File "src/lxml/parser.pxi", line 654, in lxml.etree._raiseParseError

 File "<string>", line 1

lxml.etree.XMLSyntaxError: Start tag expected, '<' not found, line 1, column 1