Topic: NC and Linux on 5r1 code

[mirom]

Hi folks,

is NC supposed to be workin on linux when running IVE 5.0r1 and has anyone been able to find a separate installer for it? I can't.

thanks

Miro

[alan]

Yes, NC and Linux works as advertised. Redhat 9 / Firefox is the officially supported model but I've have good success with SUSE. You need OpenSSL installed (+OpenMotif if invoked from X).

This below is from page 98 of the Admin Guide. I guess you could copy "ncsvc" from one host to another for standalone install.

 If you want to invoke from command-line, from X-Windows, you should
type:
    # cd ~/.juniper_networks/network_connect/
    # ./ncui -h <host> -u <user> -p <pass> [-r <realm>]

 If you want to invoke from the command-line, NOT IN X-WINDOWS, type:
    # cd ~/.juniper_networks/network_connect/
    # ./ncsvc -h <host> -u <user> -p <pass> [-r <realm>]

[chovy]

i don't know what the arguments are supposed to be for those commands.

when i do the "web-connect" method, it opens up a java app, and asks for root passwd, then ads a few things to ~username/.juniper_networks and /root/.juniper_networks, however when the next dialog appears, which is supposed to have my "assigned ip" it just says 0.0.0.0.

I have created symlinks for missing libraries in mozilla/firefox, linux-2.6.16.

Been dying here, nobody at my company seems to know, but 1 guy got it working on debian (I'm using Gentoo).

[rkagan]

I had similar problems.  It turned out that their stuff makes a number of assumptions which are invalid on most sanely configured Linux systems.  In particular,

1) when it opens a terminal emulator window and asks for root password it does so in order to make ncsvc setuid root.  However most people mount home directories with nosuid option so setuid binaries don't work there

2) ncsvc, having established a VPN connection, attempts to configure /etc/resolv.conf to point at the new nameserver, and save a backup copy in /tmp/resolv.conf doing rename() which doesn't work across filesystems.  Most modern distros configure /tmp to be on a separate filesystem so this fails too.

The solution I used:
1) open ncsvc (found somewhere under ~/.juniper_networks) with your favorite editor capable of binary editing and replace /tmp/resolv.conf with something of the same length but under /etc, say, /etc/resolv.conx
2) figure out the realm you want to connect to.  For that you can connect to the login page of your web service with your browser and view the page source (or just do curl -kL https://your.web.service/); the html code contains

Code: [Select]

<input type="hidden" name="realm" value="your_realm">.
3) obtain the ssl server certificate in DER format.  For that you can do

Code: [Select]

openssl s_client -connect your.web.service:443 -showcerts < /dev/null 2> /dev/null |
        openssl x509 -outform der > cert.der
Now you've got all you need.  So go ahead and run as root:

Code: [Select]

ncsvc -h your.web.service -u your_user -p your_pass -r your_realm -f your_cert.der
P.S. You also need to make sure that you have tun driver loaded.

[gsker]

The suggestions above get me VERY close.  I can connect through the web and java applet interface just fine, but I'd really like to make it work at the command line.
The connect fails very close to the end -- the cert and user and all are all working.
The network admin assures me ( and I believe him ) that there is no host checker associated with this Realm.
The error log (I snipped the date field) shows:

627037 ncsvc[5785] dsclient.info <-- 200  (authenticate.cpp:168)
627129 ncsvc[5785] dsclient.error state host checker failed, error 10 (dsclient.cpp:235)
627512 ncsvc[5785] ncapp.error Failed to authenticate with IVE.  Error 10 (ncsvc.cpp:188)
627661 ncsvc[5785] dsncuiapi.para DsNcUiApi::~DsNcUiApi (dsncuiapi.cpp:72)

If there were a host checker requirement, what app or file would it be looking for?
Can I trick it?  Does anyone have this working like this?  Can I use a 5.1 client on a server that hands out the 5.4 one?

Any clues would be greatly appreciated!
Gerry

./ncsvc -v
Juniper Network Connect Server for Linux.
Version         : 1.2
Release Version : 5.4-0-Build11359
Build Date/time : Nov 29 2006 22:07:01
Copyright 2002-2006 Juniper Networks

[alan]

Wow, the original post was over a year ago. You get extra points for tenacity.
What flavor of Linux? What version of code is the SSL gateway running?
You must use the exact client as the gateway is running.Your client is 5.4R1 (build 11359)

openssl installed? have a tun adapter? libssl.so.2? Java? You need all these.

[gsker]

Well, as I pointed out this all works fine from the browser, so your helpful points about versions and OS dependencies don't seem relevant.  (Suse 10.1 or Fedora 6. java and perfectly matched gateway version)

I'm sure I asked it badly.  I always do.

My question is, Can I do this at the command line or do I HAVE to run a browser and the java applet?

If there is a way to just run ncsvc, what is it? -- It appears to get stuck at the host checker which is not required.  Some more work pointed to the neeed for a cookie which can only come from a browser conversation and java script.  Is that right?

Thanks a lot for your reply!

[ldupont]

I'm actually having this exact same problem on one of our newer Juniper devices.

I've been using this thread to run ncsvc from the commandline on our older VPN server, but when I began to test the same procedure on the new box, I get similar host checker failed errors in ncsvc.log.

Is there a function within the NC.jar we can call or run by hand or something like that?

On the other hand, could we get a better, more true Linux-style app? Like, one that installs via RPM or tar.gz, and runs as a daemon, controllable with either a ncsvcctl or an init script? That would be *very* nice.

[alzamora23]

I am having the same problem.  I am running 5.5r1 and using using CentOS 4.5.  I am able to connect using the gui.  When I attempt to connect via command line using ncsvc -h <ive host> -u <my user> -p <my pass> -r <my realm> -f <ive cert> it displays a message of "Connecting to <ive host> : 443.  Then it brings me back to the command prompt.  I look in the ncsvc.log and receive these two error messages.

20070703151818.265524 ncsvc[16581] dsclient.error state host checker failed, error 10 (dsclient.cpp:235)
20070703151818.266088 ncsvc[16581] ncapp.error Failed to authenticate with IVE. Error 10 (ncsvc.cpp:188)

I turned off host checker policy for my realm.  I verified that it was turned off but logging in via the gui and host checker doesn't load. I just simply login.  I still get those two error messages.  I am confused why it is trying to use host checker when it is disabled on the IVE.

Any ideas?

[gasmith]

I'm personally fond of how the client will quit and die silently because it assumes that /etc and /tmp are on the same filesystem.

rename("/tmp/hosts.new", "/etc/hosts") = -1 EXDEV

Sigh.

[ahd71]

Anybody having non root users using the IVE from Linux (we are using SUSE) ?

My question is how to prepare the machines before they are delivered to the end user and be able to use IVE without entering the root password on the first logon.

I think subsequent upgrade/downgrades works fine without beeing root.

BR / Anders