Linux CLI GlobalProtect with SAML MFA connection problems

cancel
Showing results for 
Search instead for 
Did you mean: 

Linux CLI GlobalProtect with SAML MFA connection problems

L0 Member

Hi 

Hope someone can help. I am running into problems with Ubuntu 20.04 users that want to use CLI only. When I try to use the CLI GP client(tried version 2.4 and 2.6) on Ubuntu  it opens the default browser and the MFA via Okta is successful but then nothing happens. The VPN is never setup. The last message on the CLI is "Try to launch default browser for saml login...". The normal GUI linux client works. But some users are pure Linux  CLI users. NGFW is running 9.1.10 with full GP subscription.

Is there a way to use the Linux CLI GlobalProtect client and do SAML MFA authentication without the use of a browser? Opening a browser defeats the purpose of a CLI client? 

Below is the end of connection log from the GP client(I replaced posible sensitive info with "z"):

P 793-T209798912 Sep 30 20:53:21:279067 Debug(1383): ocsp uri=http://status.thawte.com
P 793-T209798912 Sep 30 20:53:21:347606 Debug( 113): ocsp socket=9, status=-1
P 793-T209798912 Sep 30 20:53:21:720297 Debug(1041): OCSP_response_status is SUCCESSFUL
P 793-T209798912 Sep 30 20:53:21:720375 Debug(1086): certificate valid time information (Issuer: Not Before[Nov 6 12:23:52 2017 GMT]; Not After[Nov 6 12:23:52 2027 GMT]; Cert: Not Before[Jun 4 00:00:00 2021 GMT]; Not After[Jul 5 23:59:59 2022 GMT];)
P 793-T209798912 Sep 30 20:53:21:720495 Debug( 230): cert_name_1: good
P 793-T209798912 Sep 30 20:53:21:720507 Debug( 230): This Update: Sep 29 20:09:01 2021 GMT
P 793-T209798912 Sep 30 20:53:21:720511 Debug( 230): Next Update: Oct 6 19:24:01 2021 GMT
P 793-T209798912 Sep 30 20:53:21:721083 Debug(1393): ocsp parse result=0, status=1
P 793-T209798912 Sep 30 20:53:21:721090 Debug( 900): cert name check ok
P 793-T209798912 Sep 30 20:53:21:721198 Debug(1323): OpenSSL alert write⚠️close notify
P 793-T209798912 Sep 30 20:53:21:721318 Debug( 961): PanMSServiceLinux CheckServerCert() returns TRUE
P 793-T209798912 Sep 30 20:53:21:721418 Debug( 122): Request https://gateway-z.z.com:443/global-protect/prelogin.esp, timeout 100
P 793-T209798912 Sep 30 20:53:21:745367 Debug( 171): Linux::GetHttpResponse serverIp=102.z.z.z
P 793-T209798912 Sep 30 20:53:21:745535 Debug( 601): File /opt/paloaltonetworks/globalprotect/cc.pfx does not exist.
P 793-T209798912 Sep 30 20:53:21:745545 Debug( 601): File /opt/paloaltonetworks/globalprotect/pan_client_cert.pfx does not exist.
P 793-T209798912 Sep 30 20:53:21:745549 Debug( 281): certIssuer=(null)
P 793-T209798912 Sep 30 20:53:21:745553 Debug( 780): SSL connecting to ......
P 793-T209798912 Sep 30 20:53:21:930799 Info ( 436): payload(2326) exceeds max. buffer(2165).
P 793-T209798912 Sep 30 20:53:21:931190 Debug(1323): OpenSSL alert write⚠️close notify
P 793-T209798912 Sep 30 20:53:21:931565 Debug(6838): prelogin to portal result is
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser><saml-auth-status>0</saml-auth-status>
<saml-auth-method>POST</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id><saml-request>PGh0bWweU1TMHdPUzB6TUZReE9zzzzzzzztbHVWWVudC5nZXRFbGV
</prelogin-response>
P 793-T209798912 Sep 30 20:53:21:932799 Debug(6873): REGION-PRIO, region code is ZA
P 793-T209798912 Sep 30 20:53:21:933975 Debug(12657): REGION-PRIO, save region code ZA
P 793-T209798912 Sep 30 20:53:21:939364 Debug(6892): Portal's saml auth status 0
P 793-T209798912 Sep 30 20:53:21:939388 Debug(6901): Portal's saml auth method POST
P 793-T209798912 Sep 30 20:53:21:939397 Debug(6911): Portal's saml-request PGh0bWw+Cjxib2R5zzzzzzTVRVMk1EVmlOV0UyTnpJME16UXlPV1ExT
P 793-T209798912 Sep 30 20:53:21:939403 Debug(6940): Portal's saml default browser support = yes
P 793-T209798912 Sep 30 20:53:21:939407 Debug(6951): Portal's saml request id 0
P 793-T209798912 Sep 30 20:53:21:939411 Debug(6960): Portal authentication-message is Enter login credentials
P 793-T209798912 Sep 30 20:53:21:939416 Debug(6976): autosubmit is false
P 793-T209798912 Sep 30 20:53:21:940028 Debug(8542): ----Portal Login starts----
P 793-T209798912 Sep 30 20:53:21:940142 Debug(1985): Failed to open file /home/user1/.GlobalProtect/PanPUAC_479e44e726fczzzzzzz238a4.dat
P 793-T209798912 Sep 30 20:53:21:940152 Debug(8551): Saml auth
P 793-T209798912 Sep 30 20:53:21:940157 Debug( 717): session cleanup.
P 793-T209798912 Sep 30 20:53:21:940161 Debug(7828): Return false for saml auth
P 793-T209798912 Sep 30 20:53:21:940165 Debug(7829): m_preUsername ___empty_username___, IsInPrelogon() 0
P 793-T209798912 Sep 30 20:53:21:943152 Debug(1605): Send response to client for request saml-pre-login
P 793-T92251904 Sep 30 20:53:50:898299 Debug( 391): WAIT_TIMEOUT
P 793-T92251904 Sep 30 20:53:50:898342 Debug( 763): HipMonitorThread quits.

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello there.  To use MFA you MUST use the browser version.  Attempting to use CLI prevents the browser (user/password) to pop up.  We are doing this in our Linux environment, and this is working as as expected with the non-cli version.

 

Thank you.

Help the community: Like helpful comments and mark solutions

L0 Member

Than you for the feedback and confirming, there is not allot of info on the CLI version of the GP client so this helped

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!