Constant Contact Labs Developer Blog

  • Juniper Networks Network Connect, SecurID and 64 bit linux Posted Wednesday, July 20, 2011 Joseph Henrich 2 Comments

    My automated command line solution to connecting to a juniper networks vpn that takes a password *and* a securID token on 64 bit Linux.

    We recently changed our network setup so that I would be required to log into the vpn while at work.  So, I took a look to see what it would take to get my Arch Linux box on the vpn. 

    The officially supported Linux platforms as of June 2011 are OpenSuse 11 and Ubuntu 9.10.  Both need to be 32 bit only and Firefox 3.6 and Sun JRE 6 are required.  Whew, that doc was updated in June, but the Ubuntu they support is from 2009?  And only 32 bit? Oh my!

    Poking around a little bit I discovered two very informative pages.  Mad Scientist’s and a blog from 2009 on makefile.  From everything else I read Mad Scientist’s page is the go-to solution for getting Juniper’s Network Connect to work on linux, even on 64 bit.  Unfortunately for me he (quite reasonably) uses the NC.jar or ncsvc executable.  The thing is, both of those only take in a user and a single password.  My work uses an Active Directory user/pass with a securID token.  All the examples of juniper vpn setups that use a securID token that I could find used a pin+token in a single field.  That’s simply not how our system is set up so that script won’t work for me at all. 

    Fortunately after a little more digging I found the makefile blog post.  It was close, oh so close to what I wanted.  I could connect without a 32 bit browser or a 32 bit java.  The real sticking point for me was the idea that to log in I needed to log in to the vpn website, run javascript to get the cookie and then run an executable.  Someone had posted in the comments section a sh/curl script that would log you in and get the cookie and return it which was again *almost* what I wanted, but not quite there.  I looked at adapting it (the paths and password fields were different) to fit my environment, but in the end the real deal breaker for me was that I refused to type my Active Directory password in cleartext as a parameter to the script (not to mention have it get put in my history).  Call me old fashioned, but I just wanted to run a script answer a prompt or two and have it just work.  So, that’s what I made.

    I hunkered down and wrote a python script that will log you in to the site, manage any existing open sessions, retrieve the cookie and run the ncui executable (as per the makefile blog’s instructions).  I designed it to be flexible so that hopefully it will work for all setups of juniper vpns not just what we have here.  There is a bit of set up to get to the point where it will run, but once that is done all it takes is running the command entering your user, password and any other password fields (all customizable) and sit back.

    The requirements are:

    gcc-multilibs
    32bit zlib
    xterm (yes really)
    python
    python headers (python-devel)
    sudo access
    java plugin
    The script and elementtidy ( located here )

    Once you have everything listed above it’s time to get the juniper network connect files.  If you’ve logged in to your vpn site on the computer before look in ~/.juniper_networks/network_connect and confirm that you have libncui.so and ncsvc.  If you have those two files you can skip to the “Getting the Juniper files” section.

    Getting the Juniper files

    1) Go to your vpn website and log in

    2) You should be sent to the network connect page.  You will be asked about running java.  (There should be two prompts.)

    3) Make sure that you have libncui.so and ncsvc (they should have been installed in ~/.juniper_networks/network_connect)

    4) If you don’t have both of those files makes sure you have xterm installed and that a java prompt didn’t pop under you browser.

    Setup and Installation
    cd ~/.juniper_networks/network_connect

gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so

sudo chown root:root ncui

sudo chmod 4755 ncui

echo | openssl s_client -connect your.vpn.website:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt

cd /where/you/downloaded/juniperncprompt/elementtidy-1.0-20050212

sudo python setup.py install

    Congratulations!  You should be all ready to run my script.  You can run it from any directory and it should find your ncui (if you didn’t put it in ~/.juniper_networks/network_connect you should use the command line parameter or update the source).  Just run:

    ./juniperncprompt vpn.website

    Note: the defaults are what my vpn setup expects, they should all be changeable via a command line argument so you can figure out what works on your setup.  ./juniperncprompt -h will give you all the options.  For simplicity once you determine what works for you I’d recommend changing the default values for the arguments in the source.  They are all at the top of the file.

    You will likely have to adjust the password fields, the realm, the login path and the logout path.  All but the login field can be seen in the form once you go to your vpn page (and get redirected to a expanded url).  The realm is a hidden field in the sign in form.  The password fields are a comma separated (no spaces) list of the names of the password fields in the sign in form.  The login path is the path relative to the base site of the login page the form sends to, mine looks like “/da-na/auth/url_2/login.cgi”.  The log out path is what your log out button is a link to.

    Troubleshooting

    Q: I don’t see a libncui.so or ncsvc in the network_connect directory
    A: Make sure that you have xterm installed and that a java window didn’t pop up under another window.

     
    The opinions expressed here represent those of the author and not those of Constant Contact, Inc. Read Blog Terms

    Tags

    Juniper NetworksLinuxNetwork ConnectOpen SourcePython
    Previous Post
     

Comments (2) +comment on this post
 

  • David von Oheimb | 2:18 AM August 31, 2011

    Here is a simple solution for the Juniper NC 64-bit incompatibility
    problem, which works even with smart card authentication:
    http://ubuntuforums.org/showthread.php?p=11189826#post11189826

  • Joseph Henrich | 11:12 AM August 31, 2011

    Hi David,

    That looks like a pretty slick solution to replace a chroot.  That should let you log in with a 64 bit web browser.  If I’d seen that before I started I probably wouldn’t have worked on my solution. 

    However, if possible I like having a command line solution (just not enough to spend as much time as I did if there had been a simple non command line solution available), especially since that means you can use it on a server over ssh (some of our developers have linux servers that need to get on our vpn).  Sadly from what I could tell none of the command line options would let you pass a second password would only work if you passed the DSID cookie after you logged in.

Add your comment below

Remember me

Please enter the word you see in the image below:


*  Please be aware that all comments are moderated.

Categories

View category archives

Popular blog posts

Recent comments

02/22/12 TEEKKIRMBUB wrote:

He chose Blake lively as the <a >chanel no 5</a> girl for their new advertising.
It isn’t made any…

Archives

Interested in a particular topic?

If there are specific topics you’d like to see us discuss on our blog or other ideas you’d like to share, please let us know. Click here to contact us.