13

I'm having a bit of difficulty with Cisco AnyConnect v3.1 in regards to automatic login. I have to stay connected to a single server all day every day, and it would be super if I didn't have to dig up my 16 char password each and every day. I'd love for the client to log on automatically, but I'm not even sure at this point that it's a possibility.

I should note that the AnyConnect software is provided to me by our hosting company, and I nor anyone at my organization has access to the management side of things. I did see that there is such a piece of software on the interwebs called the "AnyConnect Profile Editor," but Cisco wouldn't let me download without a valid login.

I've been into %appdata%\local\cisco\cisco anyconnect secure mobility client\preferences.xml to review my preferences as well as %programdata%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ANYCONNECT.XML to review my profile settings. Neither of these showed anywhere that I would be able to store my credentials. I even broke my profile a few times by trying to shoe-horn my password in places. That didn't work, go figure.

Lastly, I found this forum post which seemed to specify client and server certificate "thumbprints" as well as something called an SDI token.

Disclaimer: I'm a front-end web developer by day and it's been quite a long time since I've had to do any network management for myself, sorry for the noob question!

Improve this question
2
  • 1
    This is usually policy that is set and controlled by the folks who manage the Anyconnect access. As you've stated you don't have access to that portion of the configuration, I doubt there is much we could do to help you. And this is likely off topic as an "end-user" question.
    – Brett Lykins
    Commented Nov 29, 2013 at 17:22
  • Reasonable question with good detail... let's migrate to Super User
    – Mike Pennington
    Commented Nov 29, 2013 at 18:39

3 Answers 3

Reset to default
5

I use something along these lines:

set FILE=%TEMP%\tmp
echo connect your.host.name> %FILE%
(echo 0)>> %FILE%
echo yourUserName>> %FILE%
echo yourPassWord>> %FILE%
"C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s < %FILE%

(Update: Why the parentheses around echo 0? This should remind you, when making a different choice than 0, that 1> or 2> have a special meaning, redirecting stdout or stderr, respectively - but not echoing 1 or 2. So we stay on the safe side with (echo 0).)

This is a little more concise:

(echo connect your.host.name& echo 0& echo yourUserName& echo yourPassWord& echo.) > %FILE%
more %FILE% | "C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s

However, if you want to achieve the same thing without a temporary file, this does not work for me - I would be interested, why:

(echo connect your.host.name& echo 0& echo yourUserName& echo yourPassWord) | "%ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s

Update: This works, found via https://stackoverflow.com/a/29747723/880783:

(echo connect your.host.name^& echo 0^& echo yourUserName^&echo yourPassWord^&rem.) | "%ProgramFiles(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe" -s

All these variants depend of course on your server's configuration (especially the VPN group you have to chose). To find out what you need to input, call vpncli.exe without any parameters once, start with connect your.host.name, and then note what you are prompted for.

Update: This has the added advantage of offering complete freedom with regard to server, username and password, and does not rely on any sleep values (which is always difficult if your system tends to be busy with something else).

Improve this answer
2
  • 3
    The -s switch is not available in version 3.1 of the client. Do you have version 4.1 ? Is that version publicly available somewhere ? I don't have a valid license to download it from the Cisco website.
    – SzilardD
    Commented Jul 21, 2015 at 8:52
  • 1
    Yes, I used version 4+. However, I do not know of any legal public source (probably due to export restrictions).
    – bers
    Commented Mar 22, 2017 at 12:58
19

Here is my script to launch Cisco AnyConnect Mobility Client v3.1 and log in automatically. Save this script as FILENAME.vbs, replace PASSWORD with your password, replace the path to the VPN Client exe if needed (probably not), and you may also need to adjust the 2nd sleep time as well depending on your connection speed (mine works reliably at 5000 but yours may need less/more time to dial home). I have mine pinned to my task bar but you can hotkey it as well. 

Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.Run """%PROGRAMFILES(x86)%\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe"""

WScript.Sleep 3000

WshShell.AppActivate "Cisco AnyConnect Secure Mobility Client"

WshShell.SendKeys "{TAB}"
WshShell.SendKeys "{TAB}"
WshShell.SendKeys "{ENTER}"

WScript.Sleep 5000

WshShell.SendKeys "PASSWORD"
WshShell.SendKeys "{ENTER}"
Improve this answer
2
  • 1
    Quite a nice solution! I have put some additional TABs, ENTERs and sleep's for my specific case and it worked perfectly. For my machine and internet connection (300Mbit down and up) I reduced all sleep times to just half a second (500 milliseconds) and now I get a VPN connection super fast! Thank you!
    – informatik01
    Commented Jun 20, 2015 at 16:02
  • 2
    Note: if your password contains the characters %!(^~+ , you need to put { and } around them.
    – jeroenk
    Commented Oct 27, 2015 at 11:03
3

I'm answering my own question with this "meh" answer - it's not what I was after, and I'll gladly accept another answer that can better answer my original question.

Since I didn't have any luck with automatic logins, the next best thing I could think of was to have my ridiculously long password automatically copied to my clipboard. In Windows, I created a .bat file with this in the body:

echo|set /p=MyPassword|clip

Where "MyPassword" is your actual password.

When double-clicked, this file will copy your password into your clipboard for a quick login. Better than nothing!

Improve this answer
6
  • If you're willing to do some light automation legwork, use autoit to start the VPN app and then copy the password into the password field
    – Mike Pennington
    Commented Dec 8, 2013 at 16:14
  • 2
    Please, what is the advantage of echo|set /p=MyPassword|clip compared to just echo MyPassword|clip?
    – bers
    Commented Jan 27, 2015 at 18:49
  • 3
    @bers If you use just echo your_pass| clip it will also put/append the new line character at the end of your_pass. Just try it yourself and when you paste it in some editor you'll notice that the cursor is on the next line (if you have an editor that can show new line characters, like Notepad++ or SciTE, use it and you will see CRLF on Windows at the end of your_pass). But MikeZ's current solution works perfectly (as a way of copying a password to the clipboard).
    – informatik01
    Commented Jun 20, 2015 at 15:40
  • 1
    @informatik01 Thanks for the explanation!
    – bers
    Commented Jun 20, 2015 at 20:26
  • 2
    (1) @informatik01’s excellent explanation doesn’t fully address the need for the echo| at the beginning of the command line.  The reason is that set /p is the command to read a value (a line) from the standard input.  Without echo|, the set /p=MyPassword|clip command would silently sit and read a line from the terminal.  (2) I hate to see a | without spaces before and after.  But beware that echo | set /p=MyPassword | clip will write MyPassword  (with a trailing space) to the clipboard.  You can prevent that by adding quotes: echo | set /p="MyPassword" | clip.
    – Scott - Слава Україні
    Commented Sep 11, 2018 at 4:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .