I'm trying to setup GlobalProtect via openconnect on macOS with a smartcard. My gateway requires a client certificate and we authenticate using the smart card, no username/password based authentication.
My command is:
openconnect --protocol=gp -c 'pkcs11:model=PKCS...;type=cert' -k 'pkcs11:model=PKCS....' --dump -vvvv my.companies.gateway
I enter my pin code for the smart card and it tries to connect.
Enter PIN:
Using PKCS#11 key pkcs11:model=PKCS...;type=private
No SSL certificate found to match private key
Loading certificate failed. Aborting.
Am I misinterpreting how to supply the private key? But the key only exists on the SmartCard.
If I don't use -k I get a lot further, including selecting Gateway to use. But I can't actually login since I don't have a username/password.
If I go to the prelogin.esp URL manually in Chrome and select my smartcard I get:
<prelogin-response>
<status>Success</status>
<ccusername>....</ccusername>
<autosubmit>true</autosubmit>
<msg/>
<newmsg/>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<auth-api>no</auth-api>
<region>SE</region>
</prelogin-response>
