November 24, 2014

How to script a login for a Cisco VPN Client

 

As a general rule, most IT professionals love automation. Anything that can take the processes of click here, type that, now click here, and here, and here, and here….. and package that process up into a nice little script or executable that does everything for you. I recently had a request that required someone to manually remote to a server each day and start a VPN connection to a client network. Ideally, the connection would just stay connected and you would only have to worry about re-establishing the connection periodically. This connection dies every night, and in a case of he said she said, neither party can apparently discover why the connection keeps failing. The problem is that there is a period of 30 to 45 minutes before the connection can be re-established. To avoid having to wait to manually reconnect the VPN session, they needed a way to automate the process. So for those who have similar needs, enjoy!

This works with the older Cisco VPN Client 5.0.05.0290. It will probably work with earlier versions of the client as well. For those using Cisco Anyconnect, there is a command line option for that program as well using the vpncli.exe executable.

To establish a connection: (replace the values in red with appropriate values for your needs)

In a batch file add the following ->

“%programfiles%\Cisco Systems\VPN Client\vpnclient.exe” connect <profile name> user <username> pwd <password>

To disconnect a session:

In a batch file add the following ->

“%programfiles%\Cisco Systems\VPN Client\vpnclient.exe” disconnect

Quick and easy! This script is great if you have a system that checks for connectivity, you can have it run the connection script automatically to recover from a lost session. You could also schedule a task to start a VPN session at the beginning of the day and then another task to shut down the connect at night. Here are the full options for the vpnclient.exe executable:

Comments

  1. Hi,
    Thanks for the post that is good information. would you have a suggestion on how to run windows login script after the vpn has connected. is there a way to auto mate this from the cisco asa or windows?

  2. Josh Johnson says:

    Thanks for your comments Moshe, and sorry for the late response. To try and answer a few of your questions, I am going to make the assumption that your windows computer is part of an active directory network and the script you want to run will be coming from a domain controller.

    If you want to run a login script after the VPN has connected, you could simply add a reference to the login script on the domain controller immediately after the vpnclient connect command in the batch file. For example:

    VPNConnect.bat
    “%programfiles%\Cisco Systems\VPN Client\vpnclient.exe” connect [profile name] user [username] pwd [password]

    \\[dcserver]\sysvol\[domain]\scripts\[scriptname]

    In this scenario, your batch file will attempt to make a VPN connection and then immediately attempt to run the login script. If the connection fails however, the login script will attempt to run. This may or may not cause issues in your situation but it is the quickest way to implement and/or test. An alternative would be to add errorlevel handling to the script such as this:

    VPNConnect.bat
    “%programfiles%\Cisco Systems\VPN Client\vpnclient.exe” connect [profile name] user [username] pwd [password]
    IF (%ERRORLEVEL% NEQ 200) goto failed
    echo VPN Successfully Connected
    \\[dcserver]\sysvol\[domain]\scripts\[scriptname]
    goto end
    :failed
    echo Failed to connect with error = %ERRORLEVEL%
    :end

    Automating this directly from the ASA is unlikely since it lack system access to the PC. However, if you want to automatically connect to the VPN upon boot and run this script, you can add the batch file to the registry.

    If you want to run the batch file when the computer starts, add the batch file to the following registry location:
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

    If you want to run the batch file when a user logs into the computer, place the batch file in this location:
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

    I hope this helps.

  3. Good article. Do you know if there is a way to do a ‘silent’ disconnect and prevent the VPN Client message box from appearing on disconnection?

    Warren

  4. Josh Johnson says:

    If you are getting the dialog box on disconnect it is because the Cisco VPN GUI interface is loaded. To have a ‘silent’ disconnect you will need to ensure that the GUI is not loaded by either manually closing the gui interface or you could potentially script the close of the GUI. I would suggest the following to script closing the Cisco GUI interface in your disconnect bat file:

    taskkill /F /IM vpngui.exe

    This will force the task vpngui.exe (the Cisco GUI Interface) to be terminated. Thus when you call the vpnclient.exe disconnect command, a dialog will not appear on your screen.
    Note: you may have to incorporate a delay between the commands to allow the process to successfully end.

  5. Hi,

    Thanks for your sharing, but I am unable to get connect with vpn. Am using Cisco Any Connect vpn client and cant go with user name and pwd. I got a profile with Group SSL_URL, kindly guide me.

  6. Josh Johnson says:

    Are you having difficulty establishing the VPN tunnel using the Cisco Any Connect client through the user interface,just through scripting, or both? Also, what type of cisco device are your trying to establish the tunnel with?

  7. tale103108 says:

    I am having a similar issue as Josh. When entering ….

    DOS> vpnui.exe connect 1.2.3.4 user me pwd me

    the GUI comes up saying “No profile available. Please enter host to Connect to”
    and yet there in the Connect to field is 1.2.3.4

    I am using Cisco AnyConnect on Windows 7.

    Cheers!

  8. Josh Johnson says:

    Tale103108,

    Cisco AnyConnect is a little different than the standard Cisco VPN client that this post was written for. Profiles for the Anyconnect client are specified in XML files instead of having a nice GUI interface for building a profile like in the older Cisco VPN Clients. When running the command line utility you must have a named profile and not just the IP address of the host you wish to connect to. Cisco provides a template that you can modify to create a profile for the Cisco AnyConnect client, which is located at:

    \Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile\AnyConnectProfile.tmpl

    Edit the file in notepad and save as a new file. Using a different editor could introduce additional line breaks causing the profile not to be read correctly by the client. Modify the name, address, and connection setting to match the host you are trying to connect to. Once you have created the profile, you should be able to issue the command:

    VPNUI.EXE CONNECT [profile name] USER [user] PWD [password]

    Here is a link to the AnyConnect profile sample from Cisco and you can also get some great info from the admin guide there as well.

    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/administrative/guide/adminapa.html

  9. Herbert says:

    Hi,

    thank you for the information. I looked at the CISCO site but have not found the detail you provide.

    I do however have a question regarding providing the ‘group’.
    When I start VPNCLI without parameters and go through the command prompts I am asked to specify the group. Following the rest of the parameters the result is that the connection is established.

    However, in order to automate connection, using your provided info, it will not connect since the group info is not provided.

    Do you have an example that shows the usage of providing group information?

    Thanks in advance.

    Best regards,
    Herbert

  10. Finally this is a correct powershell script “Cisco AnyConnect Auto Login” I have created to automatically connect and log me in or auto reconect with Cisco AnyConnect Secure Mobility Client version 3.0.5080.
    It works quite nice on Windows 7 and Windows 8.
    1. Create file for example c:\test\CiscoVPNAutoLogin.ps1
    2. Paste the code below into that file. Do not forget to change CiscoVPNHost, Login and Password variables.
    3. Run the script. You can run it for example using following command line: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe “C:\test\CiscoVPNAutoLogin.ps1″

    Script code is following:

    [CODE]
    #Source http://www.cze.cz
    #This script is tested with “Cisco AnyConnect Secure Mobility Client version 3.0.5080″
    #Please change following variables

    #IP address or host name of cisco vpn
    [string]$CiscoVPNHost = “192.168.0.50″
    [string]$Login = “LOGIN”
    [string]$Password = “PASSWORD”

    #Please check if file exists on following paths
    [string]$vpncliAbsolutePath = ‘C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe’
    [string]$vpnuiAbsolutePath = ‘C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe’

    #****************************************************************************
    #**** Please do not modify code below unless you know what you are doing ****
    #****************************************************************************

    Add-Type -AssemblyName System.Windows.Forms -ErrorAction Stop

    #Set foreground window function
    #This function is called in VPNConnect
    Add-Type @’
    using System;
    using System.Runtime.InteropServices;
    public class Win {
    [DllImport("user32.dll")]
    [return: MarshalAs(UnmanagedType.Bool)]
    public static extern bool SetForegroundWindow(IntPtr hWnd);
    }
    ‘@ -ErrorAction Stop

    #quickly start VPN
    #This function is called later in the code
    Function VPNConnect()
    {
    Start-Process -FilePath $vpncliAbsolutePath -ArgumentList “connect $CiscoVPNHost”
    $counter = 0; $h = 0;
    while($counter++ -lt 1000 -and $h -eq 0)
    {
    sleep -m 10
    $h = (Get-Process vpncli).MainWindowHandle
    }
    #if it takes more than 10 seconds then display message
    if($h -eq 0){echo “Could not start VPNUI it takes too long.”}
    else{[void] [Win]::SetForegroundWindow($h)}
    }

    #Terminate all vpnui processes.
    Get-Process | ForEach-Object {if($_.ProcessName.ToLower() -eq “vpnui”)
    {$Id = $_.Id; Stop-Process $Id; echo “Process vpnui with id: $Id was stopped”}}
    #Terminate all vpncli processes.
    Get-Process | ForEach-Object {if($_.ProcessName.ToLower() -eq “vpncli”)
    {$Id = $_.Id; Stop-Process $Id; echo “Process vpncli with id: $Id was stopped”}}

    #Disconnect from VPN
    echo “Trying to terminate remaining vpn connections”
    start-Process -FilePath $vpncliAbsolutePath -ArgumentList ‘disconnect’ -wait
    #Connect to VPN
    echo “Connecting to VPN address ‘$CiscoVPNHost’ as user ‘$Login’.”
    VPNConnect

    #Write login and password
    [System.Windows.Forms.SendKeys]::SendWait(“$Login{Enter}”)
    [System.Windows.Forms.SendKeys]::SendWait(“$Password{Enter}”)

    #Start vpnui
    start-Process -FilePath $vpnuiAbsolutePath
    #Wait for keydown
    echo “Press any key to continue …”
    try{$x = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)}catch{}
    [/CODE]

  11. Thanks a lot for this very helpful tip, works like a charm!

  12. For AnyConnect scripting, even with your guidance on TMPL files and the link to Cisco’s site, I don’t see any way to automate the entry of username and password, as you could do with vpnclient.exe. Is there no way to do this? I’d like to run a batch that automatically logs me in via AnyConnect.

  13. Josh Johnson says:

    Here is a link to someone who has written a PowerShell solution:

    Automatic Login Using Cisco VPN Client

  14. Hi Josh.. I have an urgent requirement.
    I am trying to automate the functional test. Requirement is as below :

    I want to automate the login to the VPN client (CISCO).
    I am executing the command required for the same.
    There is a confirmation the system asks, something like : Are you authorised to login to the server. yes/no..
    I do not want to choose the value YES by myself. i want it to be chosen by iteslf.
    For that i used the command “<". I have set YES in a file placed in some directory.
    Still the batch file is not picking the value. it will get executed only if i hit YES.

    Can you suggest if we can pick YES from some file in some other way apart from C:/vivek.txt

  15. Hi,
    My cisco vpn client get disconnected sometimes. I want to auto-reconnect/auto-login it whenver it get disconnected. Is there anyway to automate it ?
    Tanx in advance.

  16. I’d like to have a script that has all this lines… but It doesn’t work.. because when it starts the vpn, it doesn’t return the control to process the following commands in the bat file..

    example:
    :: vpn and ftp
    :: connect
    vpnclient connect Client user auser pwd apsw
    :: ftp
    ftp -s:ftp-cmd.txt 192.168.1.100
    :: disconnect vpn
    vpnclient disconnect

  17. Abhitheja says:

    Hello Josh,

    Thank you very much for your article.
    But I have one more problem. Am using my company’s VPN ” private computer facility” and it will ask to click “Ok” after the vpn login.

    So, when I created a batch file to connect to VPN using commands you have provided., it asking me
    “Do you wish to continue (y/n)” :

    I tired echo Y | vpnclient CONNECT USER PWD

    But it hasn’t worked. Could you help me on the same?

Speak Your Mind

*