Cisco AnyConnect v3.1 AutoLogin

security automation vpn cisco-anyconnect

I'm having a bit of difficulty with Cisco AnyConnect v3.1 in regards to automatic login. I have to stay connected to a single server all day every day, and it would be super if I didn't have to dig up my 16 char password each and every day. I'd love for the client to log on automatically, but I'm not even sure at this point that it's a possibility.

I should note that the AnyConnect software is provided to me by our hosting company, and I nor anyone at my organization has access to the management side of things. I did see that there is such a piece of software on the interwebs called the "AnyConnect Profile Editor," but Cisco wouldn't let me download without a valid login.

I've been into %appdata%\local\cisco\cisco anyconnect secure mobility client\preferences.xml to review my preferences as well as %programdata%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ANYCONNECT.XML to review my profile settings. Neither of these showed anywhere that I would be able to store my credentials. I even broke my profile a few times by trying to shoe-horn my password in places. That didn't work, go figure.

Lastly, I found this forum post which seemed to specify client and server certificate "thumbprints" as well as something called an SDI token.

Disclaimer: I'm a front-end web developer by day and it's been quite a long time since I've had to do any network management for myself, sorry for the noob question!


I use something along these lines:

set FILE=%TEMP%\tmp
echo connect your.host.name> %FILE%
(echo 0)>> %FILE%
echo yourUserName>> %FILE%
echo yourPassWord>> %FILE%
"C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s < %FILE%

(Update: Why the parentheses around echo 0? This should remind you, when making a different choice than 0, that 1> or 2> have a special meaning, redirecting stdout or stderr, respectively - but not echoing 1 or 2. So we stay on the safe side with (echo 0).)

This is a little more concise:

(echo connect your.host.name& echo 0& echo yourUserName& echo yourPassWord& echo.) > %FILE%
more %FILE% | "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s

However, if you want to achieve the same thing without a temporary file, this does not work for me - I would be interested, why:

(echo connect your.host.name& echo 0& echo yourUserName& echo yourPassWord) | "%ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s

Update: This works, found via https://stackoverflow.com/a/29747723/880783:

(echo connect your.host.name^& echo 0^& echo yourUserName^&echo yourPassWord^&rem.) | "%ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s

All these variants depend of course on your server's configuration (especially the VPN group you have to chose). To find out what you need to input, call vpncli.exe without any parameters once, start with connect your.host.name, and then note what you are prompted for.

Update: This has the added advantage of offering complete freedom with regard to server, username and password, and does not rely on any sleep values (which is always difficult if your system tends to be busy with something else).


Here is my script to launch Cisco AnyConnect Mobility Client v3.1 and log in automatically. Save this script as FILENAME.vbs, replace PASSWORD with your password, replace the path to the VPN Client exe if needed (probably not), and you may also need to adjust the 2nd sleep time as well depending on your connection speed (mine works reliably at 5000 but yours may need less/more time to dial home). I have mine pinned to my task bar but you can hotkey it as well. 

Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.Run """%PROGRAMFILES(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe"""

WScript.Sleep 3000

WshShell.AppActivate "Cisco AnyConnect Secure Mobility Client"

WshShell.SendKeys "{TAB}"
WshShell.SendKeys "{TAB}"
WshShell.SendKeys "{ENTER}"

WScript.Sleep 5000

WshShell.SendKeys "PASSWORD"
WshShell.SendKeys "{ENTER}"

I'm answering my own question with this "meh" answer - it's not what I was after, and I'll gladly accept another answer that can better answer my original question.

Since I didn't have any luck with automatic logins, the next best thing I could think of was to have my ridiculously long password automatically copied to my clipboard. In Windows, I created a .bat file with this in the body:

echo|set /p=MyPassword|clip

Where "MyPassword" is your actual password.

When double-clicked, this file will copy your password into your clipboard for a quick login. Better than nothing!

Related

PowerShell: history enhancements (readline)?
Setting Linux environment variables
Disconnect from samba share
How to run a process in the background without keeping a batch file open?
grep all .java files in a directory for a particular string
Access localhost on Mac OS X from Parallels machine
Enable multiple users to install software using homebrew
Where can I find the boot.ini file on Windows 7?
Charitable uses of upload bandwidth?
Initial value with StreamController without RxDart
the condition has length > 1 and only the first element will be used - in R [closed]
Disable selected item and below in another select