My automated command line solution to connecting to a juniper networks vpn that takes a password *and* a securID token on 64 bit Linux.
We recently changed our network setup so that I would be required to log into the vpn while at work. So, I took a look to see what it would take to get my Arch Linux box on the vpn.
The officially supported Linux platforms as of June 2011 are OpenSuse 11 and Ubuntu 9.10. Both need to be 32 bit only and Firefox 3.6 and Sun JRE 6 are required. Whew, that doc was updated in June, but the Ubuntu they support is from 2009? And only 32 bit? Oh my!
Poking around a little bit I discovered two very informative pages. Mad Scientist’s and a blog from 2009 on makefile. From everything else I read Mad Scientist’s page is the go-to solution for getting Juniper’s Network Connect to work on linux, even on 64 bit. Unfortunately for me he (quite reasonably) uses the NC.jar or ncsvc executable. The thing is, both of those only take in a user and a single password. My work uses an Active Directory user/pass with a securID token. All the examples of juniper vpn setups that use a securID token that I could find used a pin+token in a single field. That’s simply not how our system is set up so that script won’t work for me at all.
I hunkered down and wrote a python script that will log you in to the site, manage any existing open sessions, retrieve the cookie and run the ncui executable (as per the makefile blog’s instructions). I designed it to be flexible so that hopefully it will work for all setups of juniper vpns not just what we have here. There is a bit of set up to get to the point where it will run, but once that is done all it takes is running the command entering your user, password and any other password fields (all customizable) and sit back.
The requirements are:
xterm (yes really)
python headers (python-devel)
The script and elementtidy ( located here )
Once you have everything listed above it’s time to get the juniper network connect files. If you’ve logged in to your vpn site on the computer before look in ~/.juniper_networks/network_connect and confirm that you have libncui.so and ncsvc. If you have those two files you can skip to the “Getting the Juniper files” section.
Getting the Juniper files:
1) Go to your vpn website and log in
2) You should be sent to the network connect page. You will be asked about running java. (There should be two prompts.)
3) Make sure that you have libncui.so and ncsvc (they should have been installed in ~/.juniper_networks/network_connect)
4) If you don’t have both of those files makes sure you have xterm installed and that a java prompt didn’t pop under you browser.
Setup and Installation
cd ~/.juniper_networks/network_connect gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so sudo chown root:root ncui sudo chmod 4755 ncui echo | openssl s_client -connect your.vpn.website:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt cd /where/you/downloaded/juniperncprompt/elementtidy-1.0-20050212 sudo python setup.py install
Congratulations! You should be all ready to run my script. You can run it from any directory and it should find your ncui (if you didn’t put it in ~/.juniper_networks/network_connect you should use the command line parameter or update the source). Just run:
Note: the defaults are what my vpn setup expects, they should all be changeable via a command line argument so you can figure out what works on your setup. ./juniperncprompt -h will give you all the options. For simplicity once you determine what works for you I’d recommend changing the default values for the arguments in the source. They are all at the top of the file.
You will likely have to adjust the password fields, the realm, the login path and the logout path. All but the login field can be seen in the form once you go to your vpn page (and get redirected to a expanded url). The realm is a hidden field in the sign in form. The password fields are a comma separated (no spaces) list of the names of the password fields in the sign in form. The login path is the path relative to the base site of the login page the form sends to, mine looks like “/da-na/auth/url_2/login.cgi”. The log out path is what your log out button is a link to.
Q: I don’t see a libncui.so or ncsvc in the network_connect directory
A: Make sure that you have xterm installed and that a java window didn’t pop up under another window.
Continue the conversation by sharing your comments here on the blog and by following us on Twitter @CTCT_API