CAS is not supported by the client

[Mirro888]

Hello all,

gpclient fails connecting to Global Protect with this error:

gpclient::connect] Failed to connect portal with prelogin: Portal prelogin error: Prelogin failed: CAS is not supported by the client. Minimum client version is 6.0

Is there a fix for this issue?

Thank you,

Mirro

[yuezk]

Hi @Mirro888 I would like to support this. There some questions I'd like to know.

1. Does it report the same error when using the GUI client with the external browser?
2. Run the following two commands and paste the output (feel free to redact the sensitive information)

curl -X POST \
  'https://<your vpn portal>/global-protect/prelogin.esp' \
  -d 'prot=https%3A&jnlpReady=jnlpReady&ok=Login&direct=yes&ipv6-support=yes&inputStr=&clientVer=4100'

curl -X POST \
  'https://<your vpn portal>/global-protect/prelogin.esp' \
  -d 'prot=https%3A&jnlpReady=jnlpReady&ok=Login&direct=yes&ipv6-support=yes&inputStr=&clientVer=4100&cas-support=yes'

[yuezk]

@Mirro888 This is the same issue in openconnect https://gitlab.com/openconnect/openconnect/-/issues/651, which is still open and seems hard to fix from the openconnect side.

I'm trying to investigate it deeper, would you mind send the globalprotectcallback payload (the full payload without redaction) to me via the email.

globalprotectcallback:cas-as=1&[email protected]&token=very_long_string

Thanks!

[yuezk]

And which Linux distro are you using? I will send you a test package for testing.

[Mirro888]

Hello Kevin,

I'm trying to investigate it deeper, would you mind send the globalprotectcallback payload
(the full payload without redaction) to me via the email.

Here is the full payload of globalprotectcallback, received after authentication. Username is changed, but the token is unchanged. The procedure should continue to get an authentication cookie for openconnect. But I have no idea what shall I do with this token.

globalprotectcallback:cas-as=1&un=[email protected]&token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ijk2OjI2OjBGOjhBOjczOkMzOjRGOkY3OjEzOkM2Ojc3OjIwOjhDOjZGOkREOkIzOkNBOkEyOkMzOjg0OkU0OjUyOkYyOkY5OjI3OjdCOjA3OjE0Ojg0OjFFOkQ4OjZGIn0.eyJJblJlc3BvbnNlVG8iOiJiM2IwOTUxZS1lNjYwLTQzZTEtODFkNC1lY2UwMjIzYWFmZTUiLCJhdWQiOiIzNDk5ODMsNDg5NzMxNzUxNDQyOTI3MjA2NCw4MjIyY2IwMS05Yzc4LTRjNDMtODY2MC0xMTExNjk2OWMwYjQsRkxZS1pnQUFBQUF0UVZFOVBVaG1NV2hyUXpNMVZqSmtaMEp0ZDFodkwwbE1aMjVtUTAxeWR6MTFWM3BGWmxaemQyUnBXV2t6TmpCSmRERllRbUZ3UTNSS2IzTnZWVFI2VDBkVVJIVlJVVTVVYlZSSVVUaFNia0pHTldWVVJsWktUbTQ0ZUZGQmJuUjQiLCJVc2VyTmFtZSI6Im1sdXB0YWtAb3BlbnRleHQuY29tIiwiUmVzdWx0Ijp0cnVlLCJBdXRoQ29udGV4dCI6eyJhdXRoX21ldGhvZCI6InNhbWwiLCJtZmFfY2FwYWJsZSI6InRydWUifSwiaWF0IjoxNzExOTc4MDkwLCJleHAiOjE3MTE5NzgxNTB9.Icsx-jF3wmUNkU3ofQNXPIxKPPPAIjamPkumU-LZWjtxKKT6BWEfo3rkVkFlb88M2t4WCLb_9Ml2v_YiE5UONdbL5x5DYodq8aL_wgWuRh3DJKg8J7GKsi3qMt6L6d_EgIG1Np9GIzs7OcbTAtGnkRQcr0ZJgNtIeX3y3myIIlf8g6IjbdIIeZvmx8u6YqR0BtlcNBd0nsGAPkhS6tfoI9HkfcuDQi55zr-Aj3_FZKey_WMFaK1bmvig3k2SEHGycpzf25A2FS0OO6eVE1-3NbSqfEJb8G5vAgYLv1jJjHD-PFFYAH5oQh4dZ618b3Mfdb6-WMJhiVTFZ3bKqY5K-A

[Mirro888]

Hello Kevin,

And which Linux distro are you using? I will send you a test package for testing.

CentOS and Fedora.

Kind regards,

Mirro

[yuezk]

Hi @Mirro888, I have implemented it to support CAS authentication, but I cannot test it. Can you help test the snapshot package on this page? https://github.com/yuezk/GlobalProtect-openconnect/releases/tag/snapshot

Please uninstall the old one before installing the snapshot package. Thanks.

[Mirro888]

Hello @yuezk, I've installed the snapshot and executed "gpclient connect ". The "GlobalProtect Login" window opened, I entered the credentials, then the "GlobalProtect Login" window repeatedly displayed "Got invalid token, retrying".
I am attaching the output of the gpclient command and a screenshot.
gp.pdf
gpclient.log

Regards,

Mirro

[yuezk]

Hi @Mirro888, looks like you are using the CLI version. Could you please try the GUI version because the CAS authentication requires using the default browser to authenticate. And currently, only the GUI version support using the default browser (I'm planning to add default browser support to the CLI in the future).

Before launching the GUI, please do the following to ensure the old GUI version is removed, so that the snapshot GUI version can be downloaded at the runtime.

sudo rm /usr/bin/gpgui

[yuezk]

@Mirro888 I found a way to support both the CLI and GUI, you can remove the old package and install the snapshot package again. It should work for both clients, please attach the logs if not. Thanks.

[Mirro888]

Hello @yuezk, it worked with gpgui and Default Browser. If internal browser is used, then both gpgui and gpclient CLI fail.

What is the option to force gpclient CLI to use the Default Browser?

I am attaching the gpclient.log file.

Kind regards,

Mirro888
gpclient.log

[yuezk]

Hi @Mirro888 glad it worked for GUI. I'm trying to fix the internal browser. The attached gpclient.log only contains the worked logs.

Would you please use the CLI to connect the portal and collect the output? Thanks.

[Mirro888]

Hi ***@***.***> @yuezk, attached is the output of "gpclient connect <gp>". It uses the internal browser and fails. From: Kevin Yue ***@***.***> Sent: Thursday, April 4, 2024 02:02 To: yuezk/GlobalProtect-openconnect ***@***.***> Cc: Mirro888 ***@***.***>; Mention ***@***.***> Subject: Re: [yuezk/GlobalProtect-openconnect] CAS is not supported by the client (Issue #339) Hi @Mirro888 <https://github.com/Mirro888> glad it worked for GUI. I'm trying to fix the internal browser. The attached gpclient.log only contains the worked logs. Would you please use the CLI to connect the portal and collect the output? Thanks. — Reply to this email directly, view it on GitHub <#339 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHBGYMAAZLHVVYJDIGO7KFDY3SKALAVCNFSM6AAAAABFQXBKV2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZVHAZDONBRGY> . You are receiving this because you were mentioned. <https://github.com/notifications/beacon/AHBGYMHS42XHEJXI6JJH2O3Y3SKALA5CNFSM6AAAAABFQXBKV2WGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTZLBBNQ.gif> Message ID: ***@***.*** ***@***.***> >

[yuezk]

Hi @Mirro888, thanks for your reply, but the log file seems missing. The gpclient.log you attached yesterday doesn't have the failure logs.

[Mirro888]

Hi @yuezk, I responded by email, maybe that's the reason the attachment was removed. I am attaching it again via Web.

gp.log

[yuezk]

Hi @Mirro888, thanks for the log. It's an encoding problem and it should be fixed in the latest snapshot release. Could you reinstall the snapshot package and check if it works for the internal browser? Thanks.

[Mirro888]

Hi @yuezk, it's fantastic, both gpgui and gpclient CLI now work with internal browser!
Great work.
Thanks a lot,
Mirro888

[yuezk]

Hi @Mirro888, thanks for your support, I will release it soon.

[Mirro888]

Hello @yuezk, I am glad I could help.
Could you add an option to the gpconnect CLI to make it work with Default Browser instead of the internal browser?

[yuezk]

@Mirro888, I plan to support the default browser for CLI in v2.2.0, the upcoming release is v2.1.3, which will include several bug fixes, include this one.

[yuezk]

Hi @Mirro888, 2.1.3 is released. The default browser support for CLI is tracked by #298, I'm closing this.