auto login with cisco anyconnect (password saved, silent mode)

cisco-anyconnect-auto-login.md

Cisco AnyConnect: auto login in silent mode

This gist is for Linux. For windows is the same thing.

Connect

create a file .login_info as below:

connect your.server.url    
usernanme  
password
    (blank line)  

create a script as below

/opt/cisco/anyconnect/bin/vpn -s < .login_info   

Trouble shooting

The input (content of .login_info) may vary according to your settings. Try VPN shell to determine your inputs.

Run
/opt/cisco/anyconnect/bin/vpn -s

Now you are in command shell:
VPN>

Connect your server:
VPN> connect your.vpn.server

Input what asked, for me it's below:
Username: [xxxxx] xxxxx
Password: xxxxxx

Exit from VPN shell:
VPN> exit (or return)

Remember what you typed, and save them into the .login_info file.

Disconnect

With this approach, the icon will not show in the taskbar, you need run command line vpn disconnect to disconnect.
If you want to show the icon in the taskbar, add below line in the script:

/opt/cisco/anyconnect/bin/vpnui &

Any workaround for this:

    - Certificate does not match the server name.
    - Certificate is from an untrusted source.
Connecting to this server may result in a severe security compromise!

Most users do not connect to untrusted servers unless the reason for the error condition is known.

Connect Anyway? [y/n]: y

connect <your_vpn_url>
y
<your_vpn_group_name> (optional, depending on your vpn type)
<your_vpn_username>
<your_vpn_password>

This was really helpful and works well on macOS.

I'd noticed the -s option on my own, because of this helpful message from the CLI:

$ /opt/cisco/anyconnect/bin/vpn -h

    Usage: vpn [options] | [cmd] [host]

       options:
            -h         Print this usage statement.
            -v         Print version.
            -s         Read commands from response file to work non-interactively.
                       Example: vpn -s < response.txt

       commands: [connect|disconnect|hosts|state|stats]

But I wasn't getting the contents of response.txt (as they call it) correct.

For those whose organizations are using MFA, you may need to add a few lines to the input file you are redirecting into vpncli. In my case, triggering the verification and accepting the agreement required adding PUSH and Yes (maybe Y would be sufficient) under the password line. Next I want to work on automating this at login, and of course if you have password rotation you will need to update your password in the configuration file after performing the rotation.

Can you please tell me if this script can be configured for two-factor authentication? When this additional check wasn't launched, everything worked fine 😢

@sergeev-vn check out my reply above. Kf your organization supports push notifications through a SSO partner like okra or o365, it should work.

@sergeev-vn check out my reply above. Kf your organization supports push notifications through a SSO partner like okra or o365, it should work.

Unfortunately this is not what I need. After entering the password, I must enter a unique SMS code that comes to my phone. So I need to make a wait for this code to be entered so that I can enter it.

In the end, I got what I wanted.
On Ubuntu my script is like this:

#!/usr/bin/expect
spawn sudo /opt/cisco/anyconnect/bin/vpnagentd
expect ": "
send "HERE_SUDO_PASSWORD\r"
expect "$ "
spawn /opt/cisco/anyconnect/bin/vpn -s HERE_HOST
expect "*]*"
send -- "HERE_LOGIN\r"
expect "Password: "
send -- "HERE_PASSWORD\r"
expect "Answer: "
interact ++ return

At startup:
/usr/bin/gnome-terminal -- /PATH_TO_SCRIPT.sh

So, when my computer turns on, a terminal will appear where I just have to enter my unique SMS code.

Piece of code, for OTP autologin on golang