October 24, 2016
Junos Pulse VPN client on Linux. Two phase auth. 64bit. How to make it all work.
There are several problem common problems with Juniper SSL VPN on support of Linux clients:
1.Most 64-bit platforms are not supported.
2.Junos Pulse SSL VPN does not support Linux at all.
Best way to cover problem “1” is:
http://ubuntuforums.org/showthread.php?p=11189826#post11189826
There is also well known mad-scientist way but its more complex.
Problem “2” is a bit more involved.
In my case when I login to Juniper SSL web interface it run host-checker and as Linux is not supported the web form does not have way to launch Junos Pulse SSL VPN client. In fact that client does not exists for Linux.
Good news are: old Juniper “Network Connect” client is compatible with Junos Pulse and can be used on Linux client.
So you can still launch “Network Connect” client, separately from your web session.
If on login you only asked user name and password (either AD password or SecurID), you lucky and you can easy launch “Network Connect” as described in several sources, for example:
http://serverfault.com/questions/363061/how-to-connect-to-a-juniper-vpn-from-linux
But if your VPN server use two phase auth scheme (SecurID + AD password), it can get more involved. Scott has GREAT blog on how to make it work:
http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery
Only thing – you have to copy DSID cookie manually and paste it as argument in ncui call. There are several projects to automate that, for example: https://code.google.com/p/juniper-vpn/ or http://techblog.constantcontact.com/software-development/juniper-networks-network-connect-securid-and-64-bit-linux/
Both are py scripts to simulate browser behavior. Great stuff, But it did not work for me. I believe its because before I can get to login page I have one more “Legal” page where “Agree” has to be clicked. So I decided to actually use browser for login, and just have an automated way to pass DSID cookie to the script to launch ncui. Below are steps for that. –
Get network connect client + ncui executable (mostly from Scott’s blog):
- Login to your VPN https://some.company.com/dana-na/auth/url_default/welcome.cgi
- Get Network Connect client at: https://some.company.com/dana-cached/nc/ncLinuxApp.jar
- Install Network Connect client, gcc ncui executable, and get cert file:
sudo apt-get install gcc-multilib mkdir ~/.juniper_networks/network_connect cd ~/.juniper_networks/network_connect mv ~/Downloads/ncLinuxApp.jar . jar -xf ncLinuxApp.jar sudo gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so sudo chown root:root ncui sudo chmod 4755 ncui echo | openssl s_client -connect some.company.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt
Get DSID cookie in persistent form, and Plug it to ncui.
Problem with DSID cookie – its Session Level, so it does not persist on disk, where you can grep it from. So had to use Greasemonkey plugin for firefox to capture DSID and save to HTML5 storage.
Install Greasemonkey plugin https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ and make sure its enabled.
- Create Greasemonkey js script (replace some.company.com) to dump DSID to webappsstore.sqlite file:
mkdir ~/Greasemonkey/ cat >> ~/Greasemonkey/jsessionid.user.js <<EOF // ==UserScript== // @name DSID to localStorage // @namespace name@company.com // @description Saves the DSID cookie in localStorage // @include https://some.company.com/dana-na/* // ==/UserScript== (function() { var sessid = document.cookie.match(/DSID=([^;]+)/); if (sessid) { var oldSID = localStorage.DSID; if (sessid != oldSID) localStorage.DSID = sessid[1]; } })(); EOF
- In Firefox: Menu -> File -> Open File -> Choose “jsessionid.user.js”, and enable the script in the pop up window
- Install sqlite:
mkdir ~/bin/ cd ~/bin/ wget http://www.sqlite.org/2014/sqlite-shell-linux-x86-3080500.zip unzip sqlite-shell-linux-x86-*.zip
- Create script to get DCID value from webappsstore.sqlite and launch ncui (replace some.company.com):
cat > ~/bin/juniper_vpn.sh <<"EOF1" sudo touch /etc/jnpr-nc-resolv.conf sudo touch /etc/jnpr-nc-hosts.bak dsid1=`~/bin/sqlite3 ~/.mozilla/firefox/*.default/webappsstore.sqlite <<EOF | grep "https:443|DSID" | awk -F"|" '{print $3}' select * from webappsstore2; EOF` echo dsid1=$dsid1 cd ~/.juniper_networks/network_connect/ ./ncui -h some.company.com -c DSID=$dsid1 -f ssl.crt EOF1 chmod 700 ~/bin/juniper_vpn.sh
- Run the script, it will prompt for the AD password. (Ctrl+C to end vpn connection)
- In another window check if VPN interface is active:
ifconfig | grep tun
And if so – You are on VPN!.. Time to get to real work J
p.s. And use sun java.- Open jdk has old known problems with juniper VPN.