Connect using anyconnect from command line

networking vpn cisco-vpn-client

I am trying to use Cisco anyconnect 3.1 from Linux command line to connect to a server. I can connect, but I have to submit one parameter at a time. I would like to connect from a script that will run in another server. Can I do that? Something like 

vpn connect server_add group_name user_name passwd

Assuming /opt/cisco/anyconnect/bin/vpnagentd is running as it automatically should be:

To connect:

printf 'USERNAME\nPASSWORD\ny' | /opt/cisco/anyconnect/bin/vpn -s connect HOST

Replace USERNAME, PASSWORD, and HOST. The \ny at the end is to accept the login banner - this is specific to my host.

Note the single quotes ' instead of double quotes " - this is because double quotes tell Bash to interpret certain characters within strings, such as exclamation marks, as Bash history commands. Double quotes will make this command fail with an "event not found" error if the password contains an exclamation mark. Single-quoted strings pass exclamation marks along without interpreting them.

To disconnect:

/opt/cisco/anyconnect/bin/vpn disconnect

This was tested with AnyConnect v3.1.05160.


I ran into the same difficulty try to use Cisco AnyConnect from Mac OS X Terminal. To get the Cisco vpn command to take its input from standard input, you have to specify the -s option, which puts the Cisco vpn command into interactive mode. Then you can provide the responses that you give in interactive mode.

The responses that you need to give depend upon how the VPN server administrator has configured the server. For me, the vpn interactive prompts are 

Group: 
Username: 
Password: 

Blah, blah, blah, ...
accept? :

So the command that I run is 

$ /opt/cisco/anyconnect/bin/vpn -s connect vpn.example.com <<"EOF"
0
username
password
y
exit
EOF

(The quotes around EOF are to prevent command/parameter expansion/substitution in the following input.)

The exit at the end is to exit the Cisco vpn interactive mode.


I like to simplify the command line, so I use the above approach in a shell script named gotowork. As above, I need to provide the group, my user name, and a passkey composed of a private PIN plus a RSA SecurID passcode. I don't have to answer the above "accept?" question. Everything but the RSA passcode is in the script, so the command line is

$ gotowork <RSA passcode>

I have to run it as root. Assume the PIN is 1234. The script essentials: 

# put the interactive answers into a text file
echo -e "0\nusername\n1234$1\n" > /tmp/answers.txt
# find the path to the anyconnect executables
ciscopath="$(dirname $(find /opt/cisco -depth -name vpnagentd))"
# make sure the anyconnect daemon is running
[ $(pidof vpnagentd) ] || $ciscopath/vpnagentd
# connect
$ciscopath/vpn -s < /tmp/answers.txt connect remote.mycompany.com

Using anyconnect 3.1.05170. Tested on Debian 6, LinuxMint 17


This is what worked for me on OSX El Capitan. Placeholders are surrounded by [square braces].

To Enable

/opt/cisco/anyconnect/bin/vpn -s connect [HOST_ADDRESS] <<"EOF"
[VPN_USERNAME]
[VPN_PASSWORD] 
y
EOF

To Disable

/opt/cisco/anyconnect/bin/vpn disconnect

*I know this is similar to Peter S.'s answer above.

Related

How to clean up output of linux 'script' command
List of Hidden / Virtual Windows User Accounts
How to use wget to download HTTP error pages?
Make vimdiff show entire file
CMD: *.* or just *?
Generating usage logs that prove my Internet connection is flaky
Notepad++ inserting special Unicode characters in UTF-8
How do I copy command output in vim?
Firefox "Untrusted Connection" warnings when visiting reputable HTTPS sites when using child's account
Intellij / Android Studio Split Screen
Copy colored output from Mac OS X terminal
Gnu screen: kill a frozen tab