Command-line client for PaloAlto Networks' GlobalProtect VPN, integrated with OKTA.
This utility will do the authentication dance with OKTA to retrieve portal-userauthcookie,
which will be passed to OpenConnect with PAN GlobalProtect support
for creating actual VPN connection. Compatible with Python 2 and 3. Tested on
FreeBSD, Linux and MacOS X.
It also supports Google and OKTA two factor authentication and can work without user interaction, if initial TOTP secret is provided. Otherwise, it will ask for generated code.
To gather TOTP secret, there are two possibilities - either scan the provided QR code with normal QR code scanner and write down the secret. Or create backup from current OTP application in phone. Some applications have this feature, but some don't. For example, andOTP on Android do support this feature.
This utility depends on requests and lxml Python libraries. If TOTP secret is being used, then pyotp is also required.
./gp-okta.py gp-okta.conf
Build Docker image before running container:
docker build -t gp-okta .
Edit gp-okta.conf and launch Docker container:
sh run-docker.sh
Configuration file should be self-explanatory. Options can be overridden with
GP_ prefixed respective environment variables, e.g., GP_PASSWORD will
override password option in configuration file.
If openconnect returns with ioctl error, then this version has a bug, which
requires to prefix stdin input with a newline. Set bug.nl=1 in configuration
file to work-around this issue.
If openconnect returns with fgets (stdin): Resource temporarily unavailable
error, then this version has a bug, which requires to prefix stdin input with a
username. Set bug.username=1 in configuration file to work-around this issue.