cancel
Showing results for 
Search instead for 
Did you mean: 

How to get connected thorugh command line, when doing multi factor authentication?

je-vv
Occasional Contributor

How to get connected thorugh command line, when doing multi factor authentication?

On the company I work, they were supporting OTP devices with pulse-secure, to connect through the VPN.  However they stopped that support and moved to what they call MFA (multi factor authenticatio) connection thorugh pulse-secure.

 

The known way to do it is to use the pulse-secure GUI, which before wasn't necessary, which starts a web interface to provide the company email and password, and then to provide an OTP thorugh a yubikey OTP or through a MFA SW.  I decided to use a yubikey OTP (funny though, I moved from one form of OTP to another).  But I don't like using the GUI, starting from the fact that I need a graphical environment to use it, and with no proxy set, as opposed to before, where I 1st connected using a plain tty, and only after gaining connection I would start the graphical environment.  Also it makes me install the GUI dependencies which I don't like either.  And what's worse, there's a way to avoid having to launch the web interface, by using what in the company is called a class B digital badge, which is a personal certificate, but in order to use it, I need to install and use gnome-keyring, which I don't want, and I guess the need is to prevent storing plain text passwords, but there's no need for gnome-keyring at all, since the password can be asked any time one tries to connect...

At any rate, I do have my class B digital badge, and I know its password, so I guess there must be a way to use pulse-secure to use it adn do the MFA withough the need for GUI.  Any hints?

 

The way I used pulse-secure in the past was:

 

pulsesvc -h ${GATEWAY} -u ${USER} -p ${OATH_PASS} -r "OATH Passcode"

 

Where OATH_PASS was a combination of the OTH device pin plus its generated OTP.

 

Unfortunately the help doesn't give any hint of the posibility of using any sort of sertificates:

% pulsesvc --help

Usage examples:
pulsesvc -h host -u user -p passwd -r realm [-L log_level] [-g] [-U sign_in_url] [-y proxy] [-z proxy_port] [-s proxy_user] [-a proxy_password] [-d proxy_domain] [-I]
pulsesvc -v
pulsesvc -K
pulsesvc -H

Signin Options:
-h, -host: IVE hostname or IP
-u, -username: Username
-p, -password: User Password
-r, -realm: IVE signin realm
-P, -Port: Service Port
-U, -Url: IVE realm Signin URL

Proxy Options:
-y, -proxy: Proxy server hostname or IP
-z, -proxy-port: Proxy server port number
-s, -proxy-user: Proxy server username
-a, -proxy-pass: Proxy server password
-d, -proxy-domain: Proxy server domain
-I, -proxy-interactpassSmiley Tongueroxy server interactive password mode

Logging Options:
-L, -log-level: Logging level
0 : Log Critical messages only
1 : Log Critital and Error messages
2 : Log Critital, Error and Warning messages
3 : Log Critital, Error, Warning and Info messages (default)
4 : Log All Verbose messages
5 : Log All messages

Miscellaneous Options:
-v, -version: Print version information and quit
-g, -upload-log: Zip and upload logs to host
-K, -Kill: Kill all running ncsvc services
-H, -help: print usage information

 

If anyone is aware and can share on how to use the command line for this sort of MFA with pulse-secure, it'll be really appreciated.

 

If not possible, how to make the devs aware of this use case need?

2 REPLIES 2
zanyterp
Moderator

Re: How to get connected thorugh command line, when doing multi factor authentication?

unfortunately, the CLI client does not support MFA. to let the developers know, please reach out to your account team and let them know so they can work with the product team for an enhancement request
je-vv
Occasional Contributor

Re: How to get connected thorugh command line, when doing multi factor authentication?

Unfortunately I'm just a gnu/linux user from a vast majority of ms-windows users.  I'm like no one to pay attention to by the company's IT team.  So sad there's no way one can get feature requests visible to people that can take action.