Wednesday, 1 June 2022

Juniper SSL/VPN for Linux Users

 

Howto

  1. First you need the network connect client software from Juniper Networks.
    • If the Java plugin from Sun Microsystems is installed on your system and you use a 32-bit Linux (sun-java6-plugin works for me on Debian/Ubuntu 32-bit), then just connect once using the standard user interface via web browser (Firefox is supported by Juniper Networks, Opera worked for me, too). You are asked for the root password because the setuid bit of the ncsvc binary must be set. If you don't have a root password (e. g. because you use Ubuntu) just press CTRL+D to abort. Nevertheless the software will be downloaded to the directory ~/.juniper_networks/network_connect. Just make sure the binaries have the required permissions:

      $ sudo chown root:root ~/.juniper_networks/network_connect/ncsvc
      $ sudo chmod 6711 ~/.juniper_networks/network_connect/ncsvc
      $ chmod 744 ~/.juniper_networks/network_connect/ncdiag

    • If the Sun Java doesn't work on your system with Juniper (64-bit Linux) or you don't want to use Java, just login on the web site of your Juniper SSL/VPN and change the URL as follows:
      If the site's URL is https://vpn.kit.edu enter https://vpn.kit.edu/dana-cached/nc/ncLinuxApp.jar and download the file ncLinuxApp.jar.
      Then execute the following commands:

      $ mkdir -p ~/.juniper_networks/network_connect/
      $ unzip ncLinuxApp.jar -d ~/.juniper_networks/network_connect/
      $ sudo chown root:root ~/.juniper_networks/network_connect/ncsvc
      $ sudo chmod 6711 ~/.juniper_networks/network_connect/ncsvc
      $ chmod 744 ~/.juniper_networks/network_connect/ncdiag

  2. Download jnc, copy it to an appropriate directory (e. g. /usr/local/bin) and make it executable:

    $ chmod a+x jnc

    In addition to perl openssl must be installed to use it. If you want to use the GUI, Java from Sun Microsystems must be available, too, of course.

    If you use a 64-bit Linux the Network Connect Java GUI will not work. So remember to start jnc with option --nox (or -n), see below. Also install the 32-bit versions of the required libraries.

    On Debian/Ubuntu:
    # apt-get install libc6-i386 lib32z1 lib32nss-mdns

    On RH 6 and higher:
    # yum install glibc.i686 zlib.i686 nss.i686

  3. Create the directory for the configuration files

    $ mkdir -p ~/.juniper_networks/network_connect/config

    and create a configuration file in this directory. It must be named somename.conf.

    Example config file
    (Karlsruhe Institute of Technology (KIT) users: click here)

    host=foo.bar.com
    user=username
    password=secret
    realm=very long realm with spaces
    cafile=/etc/ssl/bar-chain.pem
    certfile=
    

    password and realm are optional.
    cafile: ca chain to verify the host certificate
    certfile: host certificate in DER format
    cafile or certfile must be configured.

    For cafile/certfile you have to use the full path. You must not use ~, it won't be expanded.

    If you don't know about any realm there's possibly only one, so you can omit this configuration option. You can also find out your realm by viewing the page source of your sign-in page: just search for the word realm in it.

  4. Start network connect with

    $ jnc somename

    or

    $ jnc --nox somename

    for use without GUI. To stop the client, just (click Sign Out in the Java GUI or) execute

    $ jnc stop

    For more options see

    $ jnc --help

  5. Updating the client: if your Juniper SSL/VPN site was upgraded to a new firmware version there could be also a new network connect client version available. To get it, just repeat step one in this howto. You don't have to remove any files before.

No comments:

Post a Comment

loading...