Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GlobalProtect with FortiToken 2FA doesn't work. #448

Open
MrSpock opened this issue Dec 3, 2024 · 1 comment
Open

GlobalProtect with FortiToken 2FA doesn't work. #448

MrSpock opened this issue Dec 3, 2024 · 1 comment

Comments

@MrSpock
Copy link

MrSpock commented Dec 3, 2024

Describe the bug
GlobalProtect with FortiToken 2FA doesn't work.

** Issue details**

I'm forced to connect to VPN that is using two factor authentication using FortiToken app.
On original client you authenticate using username/password, and then shortly new text field appears for token code.

gpclient doesn't come to that phase. Please find logs below:

root@vpn~# gpclient --ignore-tls-errors connect  secret.vpn.com
[2024-12-03T09:18:30Z INFO  gpclient::cli] gpclient started: 2.3.9 (2024-11-02)
[2024-12-03T09:18:30Z INFO  gpclient::cli] TLS errors will be ignored
[2024-12-03T09:18:30Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2024-12-03T09:18:30Z INFO  gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect
Enter login credentials (Portal: secret.vpn.com)
> Username: [email protected]
> Password: ********
[2024-12-03T09:18:51Z INFO  gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2024-12-03T09:18:53Z WARN  gpapi::portal::config] GP response error: reason=auth-failed, status=512 <unknown status code>, body=<empty>
[2024-12-03T09:18:53Z INFO  gpclient::connect] Failed to connect portal with prelogin: Portal config error: auth-failed

Error: Portal config error: auth-failed`

Attempt with --as-gateway:

root@vpn:~# gpclient --ignore-tls-errors connect  secret.vpn.com--as-gateway
[2024-12-03T09:19:24Z INFO  gpclient::cli] gpclient started: 2.3.9 (2024-11-02)
[2024-12-03T09:19:24Z INFO  gpclient::cli] TLS errors will be ignored
[2024-12-03T09:19:24Z INFO  gpclient::connect] Treating the server as a gateway
[2024-12-03T09:19:24Z INFO  gpclient::connect] Performing the gateway authentication...
[2024-12-03T09:19:24Z INFO  gpapi::portal::prelogin] Gateway prelogin with user_agent: PAN GlobalProtect
[2024-12-03T09:19:24Z INFO  gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect
Enter login credentials (Gateway: secret.vpn.com)
> Username: [email protected]
> Password: ********
[2024-12-03T09:19:40Z INFO  gpapi::gateway::login] Perform gateway login, user_agent: PAN GlobalProtect
[2024-12-03T09:19:42Z WARN  gpapi::gateway::login] GP response error: reason=<none>, status=512 <unknown status code>, body=
    var respStatus = "Error";
    var respMsg = "Authentication failed: Invalid username or password";
    thisForm.inputStr.value = "";

Environment:

  • OS: [Debian 12.8]
  • Desktop Environment: [cli]
  • Is remote SSH? [Yes]

Additional context
Add any other context about the problem here.
@yuezk
Copy link
Owner

yuezk commented Dec 3, 2024

On original client you authenticate using username/password, and then shortly new text field appears for token code.

  • Does this gpclient have ever worked?
  • What do you mean by original client?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MrSpock @yuezk