Anyone knows how to set up proxy settings with mad scientist' script ?
thanks for helping me
Anyone knows how to set up proxy settings with mad scientist' script ?
thanks for helping me
I found a solution :
Addat line 515 and 520 to the mad scientist' script and add these informations to your profile file.Code:-y "$PROXY" -z "$PROXYPORT"
ps: if you need you can add these following informations (obtained by this command '.juniper_networks/network_connect/ncsvc -help')
Code:Proxy Options: -y, -proxy: Proxy server hostname or IP -z, -proxy-port: Proxy server port number -s, -proxy-user: Proxy server username -a, -proxy-pass: Proxy server password -d, -proxy-domain: Proxy server domain
Last edited by LdK; June 8th, 2011 at 01:10 PM.
In our company we need 3 things to login to the VPN
1. LDAP Username
2. LDAP Password
3. Pincode + Passcode
Is there anyone that knows how to do this with junipernc?
Hello,
I am trying to connect to our Juniper and it appears it can't handle the /its in the URL properly.
Below is the error I am getting. I have changed the domain name to protect the innocent.
Any help would be appreciated.
20110630105010.526731 ncsvc[4187] ncsvc.info New ncsvc log level set to 3 (nccommon.cpp:75)
20110630105010.533465 ncsvc[4187] ncsvc.error gethostbyname failed for host connect.acme.com/its
(ncsvc.cpp:442)
Unable to connect to connect.acme.com/its
Wow ... the script is awesome and works very well! I have an issue with it that I was able to resolve, but not in a "nice" way.
Once I'm logged in to the VPN, have network connect up and running, I can see the machines I need to work on via IP. Great! I thought to get DNS working as well, so I modified my dhclient.conf file.
The interesting thing that happens is that (it seems) the script causes resolv.conf to be overwritten with nameservers from the connected website. For a lot of people, that's probably fine. For me, I need many more nameservers (this connection spans many, many sites), a specific domain, and search. It's all in my dhclient.conf, but it doesn't get written to resolv.conf with the new connection. It does get the search field in, but that's useless without the domain and extra nameservers.
I wrote a resolv.conf by hand and put it in place. After that, everything works. If I log out and log back in, however (to the vpn), that gets reset, so I have to replace my resolv.conf any time I use this.
Ideas why it's not taking the info in the dhclient.conf? Maybe I don't know enough about that configuration file and there's a way to tell it specifically to use the information for this connection type?
Thanks for the script! I have a workaround for this problem and thought I'd post it for others (manually setting resolv.conf ... don't forget to back it up as dhclient.conf will overwrite it!), but thought I'd ask in case I'm missing something that would make everything better
I have the same problem as Mynk. Running on Kubuntu 11.04 64bit.
Code:ncapp> Failed to connect/authenticate with IVE. Error 10
I will answer to myself. Luckily I have found a solution. It has to be added one parameter to ncsvc. Description is here: http://kb.juniper.net/InfoCenter/ind...ent&id=KB15890
I modified my junipernc script and added this to command: -U “https://$HOST/launcher”
Code snippet:
Code:if $_java; then echo "$password" | "$JAVA" -jar "$_ncpath/NC.jar" -h "$HOST" -u "$USER" -f "$CERT" -r "$REALM" -U "https://$HOST/launcher" \ || ok=false else # No GUI? Just let the thing run in the background echo "$password" | "$_ncpath/ncsvc" -h "$HOST" -u "$USER" -r "$REALM" -f "$CERT" -U "https://$HOST/launcher" \ || ok=false fi
Hi Guys,
My 'single click VPN' solution.
I tried many things from this thread a while back and never had much luck, so I went off on my own and figured out another solution which 'Just Works' (tm) for me. I haven't wrapped it up and made it all pretty, but it may help someone. I've used this on 10.04 upwards with NC 7.0R1 as delivered by default from our Juniper SA.
In our case, we have a Juniper SA2500 and multiple roles for most users in our default Active Directory realm. Using NC.jar via CLI only works when one role is available, so I made a new realm for this purpose. Once this realm is created, it provides another login URL such as https://host.company.com/realm/
On the SA under Users -> User Realms: I created a new realm called ncsvc with all the necessary mappings to AD to put users only in to one role.
I've then installed kdocker and gtk-led-askpass and have a small script which asks for my password, launches and then docks the window to the notification tray so it's out of the way.
To do this:
- Access the login page of your Juniper with firefox and export the SSL certificate to a local file. Process: click the padlock -> View Certificate -> Details -> Export -> DER
- Login as normal and launch Network Connect to install the NC client
- Install kdocker and gtk-led-askpass
- Customise the script below and use it for connecting in the future.
* only gotcha is don't drag the NC window around once it loads, as kdocker ain't the sharpest tool in the shed. Just load it and click the new globe icon in the notification area to show/hide the NC window - it will hide itself initially though after a delay.Code:#!/bin/sh # ncsvc is the single role realm created for this purpose /usr/bin/java -jar ~/.juniper_networks/network_connect/NC.jar -h host.company.com -u 'username' -f ~/ssl-certificate.der -r "ncsvc" -L 5 -p `gtk-led-askpass` -U https://host.company.com/ncsvc/ & sleep 8 kdocker -i /usr/share/icons/gnome/16x16/categories/applications-internet.png -w `xwininfo -name "Network Connect" | grep "Window id" | awk '{print $4}'`
on ubuntu 11.04 and firefox 6 I've installed the 32 bit java and set update-alturnatives to use it (and restarted firefox), but when I go to the juniper and activate network connect from there a ps ax |grep java shows that it's running the openjdk java that's tied to the icedtea plugin. If I don't have this plugin I can't get the web page to start the java app.
I tried using the junipernc script, but in my case I have token authentication (on the Juniper web screen, there is no password entered on the first screen, then a second screen gives me a challenge that I type into the token and then type the response from the token into the we page before I am able to get logged in to the Juniper)
Is there any way to do this from the command line with something like juniperrc?
David Lang
It's very ugly, but you can create a 32 bit chroot sandbox and start the VPN from inside the sandbox and then use it on the main system
the steps to do this are ugly, so here is a close-to-right script to implement them all (this is taking what I did and making it into a script, there may be typos or such in it that I have not yet found, testing and feedback would be appreciated, as would any ideas of how to reduce the size of the sandbox and the time to create it)
first, use a normal 64 bit browser to login to the juniper and attempt to start the network connect, this will do the
installation (where it prompts you for a sudo password) and should create a directory tree, the key to checking that
this installed correctly it to look for the file .juniper_networks/network_connect/ncsvc and see that it is setuid
root.
this script creates a chroot sandbox with a minimal ubuntu installation in it. It then installes a handful of
additional packages that are needed (and the large number of dependancies for those files)
it does a bunch of mounts into the sandbox (these mounts would need to be done on every boot)
it then creates a script to work around firefox being dependant on DBUS (firefox still complains about not being able
to reach DBUS, but without this script it dies instead) and then it starts firefox
in firefox connect to the juniper, sign in, and launch network connect. there is one error prompt about being unable
to modprobe the tun drier, just click Ok and the tunnel should start.
the tunnel can be used by any software on the box, it doesn't hae to be inside the sandbox (that is the reason for
making /etc/resolv.conf be a symlink into the sandbox.
there are a number of times in the process that the user will be prompted for things, so it is not an unattended
install.
#!/bin/bash
export SANDBOX=sandbox2
export INSALL_USER=dlang
debootstrap --arch=i386 natty $SANDBOX
mount -B /dev $SANDBOX/dev
mount -B /var/run/dbus $SANDBOX/var/run/dbus
mount none -t proc $SANDBOX/proc
mount none -t devpts $SANDBOX/dev/pts
if [ -e /etc/resolve.conf.juniper.save ]
then
echo "already saved resolv.conf"
else
mv /etc/resolv.conf /etc/resolve.conf.juniper.save
ln -s /home/$INSALL_USER/$SANDBOX/etc/resolv.conf /etc/resolv.conf
fi
cd $SANDBOX
chroot . bash -
export LANG=C
adduser --uid 1000 $INSALL_USER
adduser $INSALL_USER adm
adduser $INSALL_USER sudo
exit
cp -pR /home/$INSALL_USER/.juniper_networks/ home/$INSALL_USER
cp /etc/apt/sources.list $SANDBOX/etc/apt
chroot . bash -
export LANG=C
apt-get update
apt-get install firefox
apt-get install libcanberra-gtk-module
apt-get install sun-java6-plugin
su - $INSALL_USER
cat <<EOF >fixdbus
#!/bin/bash
exportDbus () {
# Get the pid of nautilus
nautilus_pid=\$(pgrep -u \$LOGNAME -n firefox-bin)
# If nautilus isn't running, just exit silently
if [ -z "\$nautilus_pid" ]; then
echo "exiting"
exit 0
fi
# Grab the DBUS_SESSION_BUS_ADDRESS variable from nautilus's environment
eval \$(tr '\0' '\n' < /proc/\$nautilus_pid/environ | grep '^DBUS_SESSION_BUS_ADDRESS=')
# Check that we actually found it
if [ -z "\$DBUS_SESSION_BUS_ADDRESS" ]; then
echo "Failed to find bus address" >&2
exit 1
fi
# export it so that child processes will inherit it
export DBUS_SESSION_BUS_ADDRESS
}
exportDbus
\$@
EOF
chmod 700 fixdbus
./fixdbus firefox -no-remote --display=localhost:0 &
Bookmarks