Skip to content

Instantly share code, notes, and snippets.

@zenglian
Last active July 9, 2024 15:20
Show Gist options
  • Save zenglian/8c7ee110b83cb8ffa033ba35ec1b6e8f to your computer and use it in GitHub Desktop.
Save zenglian/8c7ee110b83cb8ffa033ba35ec1b6e8f to your computer and use it in GitHub Desktop.
auto login with cisco anyconnect (password saved, silent mode)

Cisco AnyConnect: auto login in silent mode

This gist is for Linux. For windows is the same thing.

Connect

create a file .login_info as below:

connect your.server.url    
usernanme  
password
    (blank line)  

create a script as below

/opt/cisco/anyconnect/bin/vpn -s < .login_info   

Trouble shooting

The input (content of .login_info) may vary according to your settings. Try VPN shell to determine your inputs.

Run
/opt/cisco/anyconnect/bin/vpn -s

Now you are in command shell:
VPN>

Connect your server:
VPN> connect your.vpn.server

Input what asked, for me it's below:
Username: [xxxxx] xxxxx
Password: xxxxxx

Exit from VPN shell:
VPN> exit (or return)

Remember what you typed, and save them into the .login_info file.

Disconnect

With this approach, the icon will not show in the taskbar, you need run command line vpn disconnect to disconnect.
If you want to show the icon in the taskbar, add below line in the script:

/opt/cisco/anyconnect/bin/vpnui &
@vatdnv
Copy link

vatdnv commented Dec 31, 2021

This is awesome. Thank you 😀

@JustinFeistner
Copy link

FYI - If you have the cisco anyconnect UI open at the while you're toying with this, you'll see a message looking like:

"Connect not available. Another AnyConnect application is running or this functionality was not requested by this application."

Don't forget to close the UI completely.

@b4d
Copy link

b4d commented Jan 11, 2022

Any workaround for this:

    - Certificate does not match the server name.
    - Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted servers unless the reason for the error condition is known.

Connect Anyway? [y/n]: y

@ha10id
Copy link

ha10id commented Mar 9, 2022

Any workaround for this:

    - Certificate does not match the server name.
    - Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted servers unless the reason for the error condition is known.

Connect Anyway? [y/n]: y

connect <your_vpn_url>
y
<your_vpn_group_name> (optional, depending on your vpn type)
<your_vpn_username>
<your_vpn_password>

@lsloan
Copy link

lsloan commented May 13, 2022

This was really helpful and works well on macOS.

I'd noticed the -s option on my own, because of this helpful message from the CLI:

$ /opt/cisco/anyconnect/bin/vpn -h

    Usage: vpn [options] | [cmd] [host]

       options:
            -h         Print this usage statement.
            -v         Print version.
            -s         Read commands from response file to work non-interactively.
                       Example: vpn -s < response.txt

       commands: [connect|disconnect|hosts|state|stats]

But I wasn't getting the contents of response.txt (as they call it) correct.

@cholantesh
Copy link

For those whose organizations are using MFA, you may need to add a few lines to the input file you are redirecting into vpncli. In my case, triggering the verification and accepting the agreement required adding PUSH and Yes (maybe Y would be sufficient) under the password line. Next I want to work on automating this at login, and of course if you have password rotation you will need to update your password in the configuration file after performing the rotation.

@sergeev-vn
Copy link

Can you please tell me if this script can be configured for two-factor authentication? When this additional check wasn't launched, everything worked fine 😢
2023-02-14_15-32

@cholantesh
Copy link

@sergeev-vn check out my reply above. Kf your organization supports push notifications through a SSO partner like okra or o365, it should work.

@sergeev-vn
Copy link

sergeev-vn commented Feb 14, 2023

@sergeev-vn check out my reply above. Kf your organization supports push notifications through a SSO partner like okra or o365, it should work.

Unfortunately this is not what I need. After entering the password, I must enter a unique SMS code that comes to my phone. So I need to make a wait for this code to be entered so that I can enter it.

@sergeev-vn
Copy link

In the end, I got what I wanted.
On Ubuntu my script is like this:

#!/usr/bin/expect
spawn sudo /opt/cisco/anyconnect/bin/vpnagentd
expect ": "
send "HERE_SUDO_PASSWORD\r"
expect "$ "
spawn /opt/cisco/anyconnect/bin/vpn -s HERE_HOST
expect "*]*"
send -- "HERE_LOGIN\r"
expect "Password: "
send -- "HERE_PASSWORD\r"
expect "Answer: "
interact ++ return

At startup:
/usr/bin/gnome-terminal -- /PATH_TO_SCRIPT.sh

So, when my computer turns on, a terminal will appear where I just have to enter my unique SMS code.

@felicson
Copy link

felicson commented Dec 27, 2023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment