Juniper Networks Network Connect, SecurID and 64 bit linux

My automated command line solution to connecting to a juniper networks vpn that takes a password *and* a securID token on 64 bit Linux.

We recently changed our network setup so that I would be required to log into the vpn while at work.  So, I took a look to see what it would take to get my Arch Linux box on the vpn.

The officially supported Linux platforms as of June 2011 are OpenSuse 11 and Ubuntu 9.10.  Both need to be 32 bit only and Firefox 3.6 and Sun JRE 6 are required.  Whew, that doc was updated in June, but the Ubuntu they support is from 2009?  And only 32 bit? Oh my!

Poking around a little bit I discovered two very informative pages.  Mad Scientist’s and a blog from 2009 on makefile.  From everything else I read Mad Scientist’s page is the go-to solution for getting Juniper’s Network Connect to work on linux, even on 64 bit.  Unfortunately for me he (quite reasonably) uses the NC.jar or ncsvc executable.  The thing is, both of those only take in a user and a single password.  My work uses an Active Directory user/pass with a securID token.  All the examples of juniper vpn setups that use a securID token that I could find used a pin+token in a single field.  That’s simply not how our system is set up so that script won’t work for me at all.

Fortunately after a little more digging I found the makefile blog post.  It was close, oh so close to what I wanted.  I could connect without a 32 bit browser or a 32 bit java.  The real sticking point for me was the idea that to log in I needed to log in to the vpn website, run javascript to get the cookie and then run an executable.  Someone had posted in the comments section a sh/curl script that would log you in and get the cookie and return it which was again *almost* what I wanted, but not quite there.  I looked at adapting it (the paths and password fields were different) to fit my environment, but in the end the real deal breaker for me was that I refused to type my Active Directory password in cleartext as a parameter to the script (not to mention have it get put in my history).  Call me old fashioned, but I just wanted to run a script answer a prompt or two and have it just work.  So, that’s what I made.

I hunkered down and wrote a python script that will log you in to the site, manage any existing open sessions, retrieve the cookie and run the ncui executable (as per the makefile blog’s instructions).  I designed it to be flexible so that hopefully it will work for all setups of juniper vpns not just what we have here.  There is a bit of set up to get to the point where it will run, but once that is done all it takes is running the command entering your user, password and any other password fields (all customizable) and sit back.

The requirements are:

gcc-multilibs
32bit zlib
xterm (yes really)
python
python headers (python-devel)
sudo access
java plugin
The script and elementtidy ( located here )

Once you have everything listed above it’s time to get the juniper network connect files.  If you’ve logged in to your vpn site on the computer before look in ~/.juniper_networks/network_connect and confirm that you have libncui.so and ncsvc.  If you have those two files you can skip to the “Getting the Juniper files” section.

Getting the Juniper files:

1) Go to your vpn website and log in

2) You should be sent to the network connect page.  You will be asked about running java.  (There should be two prompts.)

3) Make sure that you have libncui.so and ncsvc (they should have been installed in ~/.juniper_networks/network_connect)

4) If you don’t have both of those files makes sure you have xterm installed and that a java prompt didn’t pop under you browser.

Setup and Installation

cd ~/.juniper_networks/network_connect

gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so

sudo chown root:root ncui

sudo chmod 4755 ncui

echo | openssl s_client -connect your.vpn.website:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt

cd /where/you/downloaded/juniperncprompt/elementtidy-1.0-20050212

sudo python setup.py install

Congratulations!  You should be all ready to run my script.  You can run it from any directory and it should find your ncui (if you didn’t put it in ~/.juniper_networks/network_connect you should use the command line parameter or update the source).  Just run:

./juniperncprompt vpn.website

Note: the defaults are what my vpn setup expects, they should all be changeable via a command line argument so you can figure out what works on your setup.  ./juniperncprompt -h will give you all the options.  For simplicity once you determine what works for you I’d recommend changing the default values for the arguments in the source.  They are all at the top of the file.

You will likely have to adjust the password fields, the realm, the login path and the logout path.  All but the login field can be seen in the form once you go to your vpn page (and get redirected to a expanded url).  The realm is a hidden field in the sign in form.  The password fields are a comma separated (no spaces) list of the names of the password fields in the sign in form.  The login path is the path relative to the base site of the login page the form sends to, mine looks like “/da-na/auth/url_2/login.cgi”.  The log out path is what your log out button is a link to.

Troubleshooting

Q: I don’t see a libncui.so or ncsvc in the network_connect directory
A: Make sure that you have xterm installed and that a java window didn’t pop up under another window.

Continue the conversation by sharing your comments here on the blog and by following us on Twitter @CTCT_API

Comments

  1. This has been working without issues – until the “Bring Your Own Device” changes that went into effect on 11/16. Now I can’t login at all with the juniperncprompt.py script, even if I change the VPN URL to vpn.constantcontact.com/BYOD:443. I’d be curious to know if you’ve tried remoting in to the VPN from Linux. Meanwhile, I’m digging through the internet for solutions. It would be a shame to be tied to the Mac when my late model Dell running a lightweight Debian does everything I need.

Trackbacks

  1. […] But if your VPN server use two phase auth scheme (SecurID + AD password), it can get more involved. Scott has GREAT blog on how to make it work: http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery Only thing – you have to copy DSID cookie manually and paste it as argument in ncui call.  There are several projects to automate that, for example: https://code.google.com/p/juniper-vpn/ or http://techblog.constantcontact.com/software-development/juniper-networks-network-connect-securid-an… […]

Leave a Comment