My thoughts and opinions on life, work, and everything in between.

Juniper Pulse VPN with Two-Factor Auth on Archlinux

2014-09-04
  • linux
  • vpn
  • juniper
  • pulse

Edit: Oct 2, 2016 - This is irrelevant now as OpenConnect is able to handle all of this in a very straightforward and easy way now Edit: Dec 4, 2014 - Updated for jre 8

Recently at work, we switched from openvpn to Juniper VPN, and I had quite the experience trying to get it working on Arch Linux. Hopefully this guide can save some of you guys a good day's worth of headache.

Depending on the policy configuration of your company/organization, setting up Juniper can be reasonably straightforward or very hackish. If your organization does not require you to login through the browser (eg. simple username/password auth), then you can use the jnc or msjnc command line tools to connect directly; the archwiki has a great article that walks through the steps for getting that setup.

If your organization employs some sort of two-factor authentication, then the command line tools are a no-go and you will need to get the browser applet network_connect working. On the surface this seems pretty straight-forward but the problem is that it expects that you are running Red Hat, another rpm based distro (Juniper provides a rpm package), or a debian based distro (expects the dpkg based update-alternatives to be present).

This leaves us archers in an akward spot. The following will essentially install dpkg on arch, and setup update-alternatives to return the correct java paths to allow juniper to work; this assumes you are running 64-bit (Juniper is 32-bit only but has recently been updated to support running on a 64-bit os provided that the 32-bit dependencies are installed), 32-bit users will likely not have these problems. 

# Install ~jre7~ and ~bin32-jre7~ from the AUR
# I tried ~openjdk~ and ~icedtea~, but it doesn't seem to work. Juniper doesn't seem to recognize the 32-bit jvm. Suprisingly, it works on ubuntu...
yaourt -S jre7 bin32-jre7

# Make sure you have multilib enabled and install the necessary dependencies
# Replace ~yaourt~ with pacman + whatever tool you use to install packages from the AUR.
yaourt -S xterm lib32-glibc lib32-libzip lib32-gcc-libs lib32-libxext lib32-libxrender lib32-libxtst dpkg

# You can test whether you have all the needed libraries by running ~sudo ldd ncsvc~ in ~/.juniper_networks/network_connect~ (sudo because ~ncsvc~ is setuid root).
   
# Setup ~update-alternatives~ for ~java~
sudo update-alternatives --install /usr/bin/java java /opt/java32/jre/bin/java 50
sudo update-alternatives --install /usr/bin/java java /usr/lib/jvm/java-8-jre/bin/java 100

# Setup ~update-alternatives~ for ~javaws~
sudo update-alternatives --install /usr/bin/javaws javaws /opt/java32/jre/bin/javaws 50
sudo update-alternatives --install /usr/bin/javaws javaws /usr/lib/jvm/java-8-jre/bin/javaws 100
 
# Setup ~update-alternatives~ for ~libnpjp2.so~
sudo update-alternatives --install /usr/lib/mozilla/plugins/libnpjp2.so java_plugin /opt/java32/jre/lib/i386/libnpjp2.so 50
sudo update-alternatives --install /usr/lib/mozilla/plugins/libnpjp2.so java_plugin /usr/lib/jvm/java-8-jre/lib/amd64/libnpjp2.so 100

You should be set to go! Login through the browser and starting network_connect should now present you with the vpn client.

Hopefully this will save some of you some time.