How do you get a Cisco VPN connection to remember its password?
The Problem
I've got a Cisco IPSEC VPN connection in my network settings on a Yosemite machine. It works fine, aside from prompting for a password on every single connection. The saved password is ignored entirely.
Background
If I enter the password under the network settings and click connect, the saved password vanishes, and the dialog prompting for a password appears. I've verified that the password is correct (it's copy-pasted from a document).
Things that didn't work
A suggested solution to this for Snow Leopard was to save the password, open Keychain Access, locate the "Xauth" key in the system keychain, and grant
/usr/libexec/configd
access to the key. This had no effect.Usual permissions repair/disk check stuff
Weird stuff
If I watch keychain access while hitting the connect button, the saved password vanishes outright from the keychain right when the dialog appears.
Overall Question
How do I get the password correctly saved so I don't have to rekey it on every connection?
Solution 1:
I guess you are using anyconnect to connect to the Cisco VPN server. AnyConnect can also be used from Terminal. This works on macOS Sierra and AnyConnect 3.1.14018. Create a bash script with the following command:
/opt/cisco/anyconnect/bin/vpn connect your-vpn.server.here -s <.credentials
And put the login details in the file .credentials with the following three lines:
0
your-username
your-password
Don't forget to put reasonable permissions on the files.
Solution 2:
From reading your question I get the impression that you're doing everything correctly and the Cisco VPN Server has the option to allow saving of passwords client-side set to disallow
.
I know for certain that such a setting exists.
Solution 3:
Both answers here as I write this have the right of it, but the existence of the vpn
command line means that we can get around this user-hostile design with expect
. Thanks go to the previous answerers, GhostLyrics for revealing the existence of the server side option that turns off password saving, and Hans for revealing the vpn
command line client.
Create a file that looks like this:
#!/usr/bin/expect --
set timeout 10
set addr "" # VPN Host
set user "" # Username
set pass "" # Password (ensure that special characters are escaped)
set group "" # Group NUMBER shown in connect prompt
spawn /opt/cisco/anyconnect/bin/vpn connect $addr
expect "\r\nGroup:*"
send -- "$group\r"
expect "\r\nUsername:*"
send -- "$user\r"
expect "Password: "
send -- "$pass\r"
expect eof
Fill out the set
fields as normal. If your VPN is like mine, you're given a list of "groups" when you run the vpn connect
. Run this once by hand, and note which number corresponds to the group you want to connect with. It won't change between runs unless the admins add/remove groups. You can't use the name here, the program expects a number.
Once everything is filled in, chmod +x
this script and run it. I am now able to connect to my VPN, hands free!
Solution 4:
Freewheeling off Hans' answer —thanks!— I wanted to streamline the invocation a bit, bypassing Terminal and ending up with the AnyConnect icon in the macOS Status Menu. (I'm on Mojave 10.14.6.)
First, launch Terminal, then change to the AnyConnect application binary's directory:
$ cd "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS"
Make a copy of the original binary:
$ sudo cp \
"Cisco AnyConnect Secure Mobility Client" \
"Cisco AnyConnect Secure Mobility Client.orig"
Finally, overwrite the initial file with a shell script, changing VPN host
to your VPN hostname or address and user
and pa$$w0rd
to your credentials:
$ sudo cat > "Cisco AnyConnect Secure Mobility Client" <<'SCRIPT'
#!/bin/sh
# The AnyConnect vpn utility takes some options and commands or else runs
# interactively.
# Its help command shows that -s reads a script from STDIN and that connect
# takes a host as argument.
# Further, the connect command takes the username and password from STDIN; we
# will supply them from a heredoc with the -s option.
/opt/cisco/anyconnect/bin/vpn -s \
connect "VPN host" <<'CREDENTIALS'
user
pa$$w0rd
CREDENTIALS
exec "$0.orig" # invoke the original app
SCRIPT
Now, you should be able to run AnyConnect from Spotlight or Finder just as usual. First our script will connect and then hand off execution to the app binary so AnyConnect will appear on the desktop Status Menu.