Junos Pulse VPN client on Linux. Two phase auth. 64bit. How to make it all work.

There are several problem common problems with Juniper SSL VPN on support of Linux clients:

  1. Most 64-bit platforms are not supported.
  2. Junos Pulse SSL VPN does not support Linux at all.

Best way to cover problem “1” is: http://ubuntuforums.org/showthread.php?p=11189826#post11189826 There is also well known mad-scientist way but its more complex.

Problem “2” is a bit more involved.

In my case when I login to Juniper SSL web interface it run host-checker and as Linux is not supported the web form does not have way to launch Junos Pulse SSL VPN client. In fact that client does not exists for Linux.
Good news are: old Juniper “Network Connect” client is compatible with Junos Pulse and can be used on Linux client.

So you can still lunch “Network Connect” client, separately from your web session.
If on login you only asked user name and password (either AD password or SecurID), you lucky and you can easy launch “Network Connect” as described in several sources, for example:  http://serverfault.com/questions/363061/how-to-connect-to-a-juniper-vpn-from-linux

But if your VPN server use two phase auth scheme (SecurID + AD password), it can get more involved. Scott has GREAT blog on how to make it work: http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery
Only thing – you have to copy DSID cookie manually and paste it as argument in ncui call.  There are several projects to automate that, for example: https://code.google.com/p/juniper-vpn/ or http://techblog.constantcontact.com/software-development/juniper-networks-network-connect-securid-and-64-bit-linux/

Both are py scripts to simulate browser behaviour. Great stuff, But it did not work for me. I believe its because before I can get to login page I have one more “Legal” page where “Agree” has to be clicked. So I decided to actually use browser for login, and just have an automated way to pass DSID cookie to the script to launch ncui. Below are steps for that. –

  1. Get network connect client + ncui executable (mostly from Scott’s blog):
    • Login to your VPN https://some.company.com/dana-na/auth/url_default/welcome.cgi
    • Get Network Connect client at: https://some.company.com/dana-cached/nc/ncLinuxApp.jar
    • Install Network Connect client, gcc ncui executable, and get cert file:
      sudo apt-get install gcc-multilib
      mkdir ~/.juniper_networks/network_connect
      cd ~/.juniper_networks/network_connect
      mv ~/Downloads/ncLinuxApp.jar .
      jar -xf ncLinuxApp.jar
      sudo gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so
      sudo chown root:root ncui
      sudo chmod 4755 ncui
      echo | openssl s_client -connect some.company.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt
  2. Get DSID cookie in persistent form, and Plug it to ncui.
    Problem with DSID cookie – its Session Level, so it does not persist on disk, where you can grep it from. So had to use Greasemonkey plugin for firefox to capture DSID and save to HTML5 storage.
    Install Greasemonkey plugin https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ and make sure its enabled.

    • Create Greasemonkey js script (replace some.company.com) to dump DSID to webappsstore.sqlite file:
      mkdir ~/Greasemonkey/
      cat >> ~/Greasemonkey/jsessionid.user.js <<EOF
      // ==UserScript==
      // @name           DSID to localStorage
      // @namespace      name@company.com
      // @description    Saves the DSID cookie in localStorage
      // @include        https://some.company.com/dana-na/*
      // ==/UserScript==
      (function() {
          var sessid = document.cookie.match(/DSID=([^;]+)/);
          if (sessid) {
              var oldSID = localStorage.DSID;
              if (sessid != oldSID) localStorage.DSID = sessid[1];
    • In Firefox: Menu -> File -> Open File -> Choose “jsessionid.user.js”, and enable the script in the pop up window.
    • Install sqlite:
      mkdir ~/bin/
      cd ~/bin/
      wget http://www.sqlite.org/2014/sqlite-shell-linux-x86-3080500.zip
      unzip sqlite-shell-linux-x86-*.zip
    • Create script to get DCID value from webappsstore.sqlite and launch ncui (replace some.company.com):
      cat > ~/bin/juniper_vpn.sh <<"EOF1"
      sudo touch  /etc/jnpr-nc-resolv.conf
      sudo touch  /etc/jnpr-nc-hosts.bak
      dsid1=`~/bin/sqlite3 ~/.mozilla/firefox/*.default/webappsstore.sqlite <<EOF | grep "https:443|DSID" | awk -F"|" '{print $3}'
      select * from webappsstore2;
      echo dsid1=$dsid1
      cd ~/.juniper_networks/network_connect/
      ./ncui -h some.company.com -c DSID=$dsid1 -f ssl.crt
      chmod 700 ~/bin/juniper_vpn.sh
    • Run the script, it will prompt for the AD password. (Ctrl+C to end vpn connection)
    • In another window check if VPN interface is active:
      ifconfig | grep tun

    And if so – You are on VPN!.. Time to get to real work 🙂

    p.s. And use sun java.- Open jdk has old known problems with juniper vpn.

Check us out on http://avmconsulting.net

Enter your email address to follow this blog and receive notifications of new posts by email.

This entry was posted in Linux, Systems, Ubuntu and tagged , , , , , , , , , , , , . Bookmark the permalink.

10 Responses to Junos Pulse VPN client on Linux. Two phase auth. 64bit. How to make it all work.

  1. Gkok says:

    Thanks! This works nicely. I do have, however, a suggestion to enhance the sqlite query. You can specify the scope to search for the DSID value: add a where-clause like this
    select * from webappsstore2 where scope = ‘moc.ynapmoc.emos.:https:443’;

    • Yes looks like if you go to this blog, wordpress push tags to html5 storage, and “grep DSID” is not unique filter anymore.
      I modified the grep to avoid putting specific web address, in script, to make it more generic, but “where” clause with “like” would do same thing.

      Thanks a lot Gkok for pointing this out.

  2. NaskoT says:

    Thanks! I get an error however running the juniper_vpn.sh : ./juniper_vpn.sh: line 7: https:443|DSID: command not found
    dsid1= Your help will be appreciated.

  3. NaskoT says:

    Thanks again, I should have seen it…sorry. Now I face one more issue (ignore some.company.com below):
    ncsvc> Failed to setuid to root. Error 1: Operation not permitted
    ncui: ncui.cpp:262: void NCUI::run(): Assertion `m_conn->isConnected()’ failed.
    ./juniper_vpn.sh: line 11: 3929 Aborted ./ncui -h some.company.com -c DSID=$dsid1 -f ssl.crt
    P.S. I am using SafeNet with Juniper Pulse client in Windows (have to provide both username and password) as validation.

  4. Pingback: Juniper Two Factor VPN & Linux – Black Hills Information Security

  5. Here’s my simplified solution: https://github.com/zouppen/pulse-openconnect-helper

    The script does everything in the browser except running the actual command. It’s much simpler but you need to paste the command to terminal manually. The script does copying to clipboard by itself.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s