33
17
I am trying to use Cisco anyconnect 3.1 from Linux command line to connect to a server. I can connect, but I have to submit one parameter at a time. I would like to connect from a script that will run in another server. Can I do that? Something like
vpn connect server_add group_name user_name passwd
Kelly Goedert
Posted 2013-09-24T11:35:48.713
Reputation: 431
34
Assuming /opt/cisco/anyconnect/bin/vpnagentd is running as it automatically should be:
To connect:
printf 'USERNAME\nPASSWORD\ny' | /opt/cisco/anyconnect/bin/vpn -s connect HOST
Replace USERNAME, PASSWORD, and HOST. The \ny at the end is to accept the login banner - this is specific to my host.
Note the single quotes ' instead of double quotes " - this is because double quotes tell Bash to interpret certain characters within strings, such as exclamation marks, as Bash history commands. Double quotes will make this command fail with an "event not found" error if the password contains an exclamation mark. Single-quoted strings pass exclamation marks along without interpreting them.
To disconnect:
/opt/cisco/anyconnect/bin/vpn disconnect
This was tested with AnyConnect v3.1.05160.
Acumenus
Posted 2013-09-24T11:35:48.713
Reputation: 902
6
I ran into the same difficulty try to use Cisco AnyConnect from Mac OS X Terminal. To get the Cisco vpn command to take its input from standard input, you have to specify the -s option, which puts the Cisco vpn command into interactive mode. Then you can provide the responses that you give in interactive mode.
The responses that you need to give depend upon how the VPN server administrator has configured the server. For me, the vpn interactive prompts are
Group:
Username:
Password:
Blah, blah, blah, ...
accept? :
So the command that I run is
$ /opt/cisco/anyconnect/bin/vpn -s connect vpn.example.com <<"EOF"
0
username
password
y
exit
EOF
(The quotes around EOF are to prevent command/parameter expansion/substitution in the following input.)
The exit at the end is to exit the Cisco vpn interactive mode.
Peter Schoenrank
Posted 2013-09-24T11:35:48.713
Reputation: 61
2
This is what worked for me on OSX El Capitan. Placeholders are surrounded by [square braces].
To Enable
/opt/cisco/anyconnect/bin/vpn -s connect [HOST_ADDRESS] <<"EOF"
[VPN_USERNAME]
[VPN_PASSWORD]
y
EOF
To Disable
/opt/cisco/anyconnect/bin/vpn disconnect
*I know this is similar to Peter S.'s answer above.
adampasz
Posted 2013-09-24T11:35:48.713
Reputation: 121
1This worked for me in one command for El Capitan, printf "y\n[GROUP]\n\n[PASSWORD]\ny\n" | /opt/cisco/anyconnect/bin/vpn -s connect HOST – Rabea – 2016-11-23T00:07:02.853
2
I like to simplify the command line, so I use the above approach in a shell script named gotowork. As above, I need to provide the group, my user name, and a passkey composed of a private PIN plus a RSA SecurID passcode. I don't have to answer the above "accept?" question. Everything but the RSA passcode is in the script, so the command line is
$ gotowork <RSA passcode>
I have to run it as root. Assume the PIN is 1234. The script essentials:
# put the interactive answers into a text file
echo -e "0\nusername\n1234$1\n" > /tmp/answers.txt
# find the path to the anyconnect executables
ciscopath="$(dirname $(find /opt/cisco -depth -name vpnagentd))"
# make sure the anyconnect daemon is running
[ $(pidof vpnagentd) ] || $ciscopath/vpnagentd
# connect
$ciscopath/vpn -s < /tmp/answers.txt connect remote.mycompany.com
Using anyconnect 3.1.05170. Tested on Debian 6, LinuxMint 17
PetieRay
Posted 2013-09-24T11:35:48.713
Reputation: 21
Why is 0\n necessary? Or is it specific to your company? – Acumenus – 2014-11-09T05:10:29.870
@A-B-B That's just saying output a zero 0, followed by a newline \n followed by username, followed by a newline \n etc... – Matt Friedman – 2015-01-22T21:39:54.140
@MattFriedman, I know what it's saying, but I don't know why it's necessary at all. – Acumenus – 2015-01-22T23:02:28.413
1@A-B-B When running interactively and your connection uses groups, the possible groups will be enumerated. 0 then means "use the first group". – jmd_dk – 2018-03-06T05:24:08.247
5In case your client does not connect due to certificate validation error
Certificate is from an untrusted source, and you still want to connect then pass ayparameter in the above method so that the command to connect becomes:printf "y\nUSERNAME\nPASSWORD\ny" | /opt/cisco/anyconnect/bin/vpn -s connect HOST. Note that do this only in the case that you absolutely trust your connection; otherwise there might be a middleman sitting in and snooping onto you. – shivams – 2015-04-22T11:38:30.0471Works beautifully (though my version needs a
GROUPNAME\nUSERNAME\nPASSWORDy. If you want to keep your password separate from the command (which may be a shell script or a dotfile key binding), you can do this:cat ~/.anyconnect_credentials | /opt/cisco/anyconnect/bin/vpn -s connect HOST– Sridhar Sarnobat – 2019-11-04T18:08:15.710@SridharSarnobat Using a separate file for the credentials works, but it prints out your password in the log like:
>> notice: Please respond to banner. MYPASSWORD– Willian Vieira – 2019-11-19T20:05:03.430