How do you get a Cisco VPN connection to remember its password?

macos keychain network password vpn

The Problem

I've got a Cisco IPSEC VPN connection in my network settings on a Yosemite machine. It works fine, aside from prompting for a password on every single connection. The saved password is ignored entirely.

Background

If I enter the password under the network settings and click connect, the saved password vanishes, and the dialog prompting for a password appears. I've verified that the password is correct (it's copy-pasted from a document).

Things that didn't work

  • A suggested solution to this for Snow Leopard was to save the password, open Keychain Access, locate the "Xauth" key in the system keychain, and grant /usr/libexec/configd access to the key. This had no effect.

  • Usual permissions repair/disk check stuff

Weird stuff

If I watch keychain access while hitting the connect button, the saved password vanishes outright from the keychain right when the dialog appears.

Overall Question

How do I get the password correctly saved so I don't have to rekey it on every connection?


Solution 1:

I guess you are using anyconnect to connect to the Cisco VPN server. AnyConnect can also be used from Terminal. This works on macOS Sierra and AnyConnect 3.1.14018. Create a bash script with the following command:

/opt/cisco/anyconnect/bin/vpn connect your-vpn.server.here -s <.credentials

And put the login details in the file .credentials with the following three lines:

0
your-username
your-password

Don't forget to put reasonable permissions on the files.

Solution 2:

From reading your question I get the impression that you're doing everything correctly and the Cisco VPN Server has the option to allow saving of passwords client-side set to disallow.

I know for certain that such a setting exists.

Solution 3:

Both answers here as I write this have the right of it, but the existence of the vpn command line means that we can get around this user-hostile design with expect. Thanks go to the previous answerers, GhostLyrics for revealing the existence of the server side option that turns off password saving, and Hans for revealing the vpn command line client.

Create a file that looks like this:

#!/usr/bin/expect --
set timeout 10
set addr ""  # VPN Host
set user ""  # Username
set pass ""  # Password (ensure that special characters are escaped)
set group "" # Group NUMBER shown in connect prompt


spawn /opt/cisco/anyconnect/bin/vpn connect $addr
expect "\r\nGroup:*"
send -- "$group\r"
expect "\r\nUsername:*"
send -- "$user\r"
expect "Password: "
send -- "$pass\r"
expect eof

Fill out the set fields as normal. If your VPN is like mine, you're given a list of "groups" when you run the vpn connect. Run this once by hand, and note which number corresponds to the group you want to connect with. It won't change between runs unless the admins add/remove groups. You can't use the name here, the program expects a number.

Once everything is filled in, chmod +x this script and run it. I am now able to connect to my VPN, hands free!

Solution 4:

Freewheeling off Hans' answer —thanks!— I wanted to streamline the invocation a bit, bypassing Terminal and ending up with the AnyConnect icon in the macOS Status Menu. (I'm on Mojave 10.14.6.)

First, launch Terminal, then change to the AnyConnect application binary's directory:

$ cd "/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app/Contents/MacOS"

Make a copy of the original binary:

$ sudo cp \
"Cisco AnyConnect Secure Mobility Client" \
"Cisco AnyConnect Secure Mobility Client.orig"

Finally, overwrite the initial file with a shell script, changing VPN host to your VPN hostname or address and user and pa$$w0rd to your credentials:

$ sudo cat > "Cisco AnyConnect Secure Mobility Client" <<'SCRIPT'
#!/bin/sh

# The AnyConnect vpn utility takes some options and commands or else runs
# interactively.
# Its help command shows that -s reads a script from STDIN and that connect
# takes a host as argument.
# Further, the connect command takes the username and password from STDIN; we
# will supply them from a heredoc with the -s option.

/opt/cisco/anyconnect/bin/vpn -s \
connect "VPN host" <<'CREDENTIALS'
user
pa$$w0rd
CREDENTIALS

exec "$0.orig"  # invoke the original app
SCRIPT

Now, you should be able to run AnyConnect from Spotlight or Finder just as usual. First our script will connect and then hand off execution to the app binary so AnyConnect will appear on the desktop Status Menu.

Related

How to get cookies.txt for YouTube from Safari?
Show battery percentage on macOS lock screen?
Why do I get "double greater/less thans" instead of double quotes in Word?
Turn off MacBook Pro's display while connected to external monitor on Yosemite [duplicate]
How to access the Wi-Fi password through Terminal?
Turn off macbook screen when connected to a monitor [duplicate]
How to turn off an external display without disconnecting?
How to upgrade ssh on OS X 10.9 Mavericks without OS upgrade?
Monterey - create new user & group with IDs 1000
Does the action of private APIs of iOS need user's manual authentication?
What app is orange and has an “m” on it?
Mouse settings don't retain in Logitech options