We have our PAN devices configured to pop up a window that authenticates us via our Google accounts. Is this something that would be potentially supportable via an outside script, ala HIP? And if so, how can I help make that happen? I would like to use this build for native VPN access, but ever since we moved away from the PAN device's internal database for auth, I'm fairly sure it won't work with this tool.

If this isn't a reasonable request, feel free to close it and I'll see if my admin and I can work around it, though I believe we went this route to get MFA for our VPN.

Is this something that would be potentially supportable via an outside script, ala HIP?

I doubt that this has anything to do with HIP. My understanding is that HIP runs after the client has established an HTTPS or ESP tunnel to the PAN device.

It's supportable in principle, but you will need to provide a lot of information on how the delegated authentication process actually works. At what point in the GlobalProtect VPN authentication sequence does the PAN device notify the client to pop up that window, and how?

If it's anything like other VPN systems that I've seen… the Google account authentication probably generates a one-time password, which then gets fed back to the "normal" PAN authentication process in place of the usually password. (Just an educated guess.)

We have our PAN devices configured to pop up a window that authenticates us via our Google accounts.

Does the login process work with the command-line openconnect with GlobalProtect support? Presumably not.

Please attempt the login with openconnect --dump -vvvv --protocol=gp your.portal.server and send me the entire output (you can obfuscate passwords or sensitive server name information), or create an issue report on dlenski/openconnect and include the log there…

@dlenski Sorry it took me so long..

$ openconnect --dump -vvvv --protocol=gp my.portal.domain
Please enter your username and password
Username: me@my.com
Password: 
POST https://my.portal.domain/ssl-vpn/login.esp
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with my.portal.domain
Connected to HTTPS on my.portal.comain
> POST /ssl-vpn/login.esp HTTP/1.1
> Host: my.portal.domain
> User-Agent: PAN GlobalProtect
> X-Pad: 00000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 172
> 
> jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&server=my.portal.domain&computer=mypc.example.com&user=me%40my.com&passwd=PASSWORDLOL
Failed to read from SSL socket: The TLS connection was non-properly terminated.
Error fetching HTTPS response
Failed to obtain WebVPN cookie

Are you sure the server in question is a PAN GlobalProtect portal/gateway server?

It's not even replying to the first query with one of the normal-ish error mechanisms. How do you know it's speaking the PAN GP protocol at all?