Главная » Linux

Cisco anyconnect linux console

На чтение 12 мин Просмотров 1 Опубликовано
Содержание
  1. Connect using anyconnect from command line
  2. 10 Answers 10
  3. How To Connect To VPN Server with Cisco AnyConnect from Linux Terminal
  4. Connecting to VPN Server with Cisco AnyConnect from Linux Terminal
  5. How To Disconnect VPN
  6. Automate VPN Connection from CLI

Connect using anyconnect from command line

I am trying to use Cisco anyconnect 3.1 from Linux command line to connect to a server. I can connect, but I have to submit one parameter at a time. I would like to connect from a script that will run in another server. Can I do that? Something like

vpn connect server_add group_name user_name passwd

10 Answers 10

Assuming /opt/cisco/anyconnect/bin/vpnagentd is running as it automatically should be:

To connect:

printf 'USERNAME\nPASSWORD\ny' | /opt/cisco/anyconnect/bin/vpn -s connect HOST

Replace USERNAME , PASSWORD , and HOST . The \ny at the end is to accept the login banner — this is specific to my host.

Note the single quotes ‘ instead of double quotes » — this is because double quotes tell Bash to interpret certain characters within strings, such as exclamation marks, as Bash history commands. Double quotes will make this command fail with an «event not found» error if the password contains an exclamation mark. Single-quoted strings pass exclamation marks along without interpreting them.

To disconnect:

/opt/cisco/anyconnect/bin/vpn disconnect

This was tested with AnyConnect v3.1.05160.

In case your client does not connect due to certificate validation error Certificate is from an untrusted source , and you still want to connect then pass a y parameter in the above method so that the command to connect becomes: printf «y\nUSERNAME\nPASSWORD\ny» | /opt/cisco/anyconnect/bin/vpn -s connect HOST . Note that do this only in the case that you absolutely trust your connection; otherwise there might be a middleman sitting in and snooping onto you.

Works beautifully (though my version needs a GROUPNAME\nUSERNAME\nPASSWORDy . If you want to keep your password separate from the command (which may be a shell script or a dotfile key binding), you can do this: cat ~/.anyconnect_credentials | /opt/cisco/anyconnect/bin/vpn -s connect HOST

@SridharSarnobat Using a separate file for the credentials works, but it prints out your password in the log like: >> notice: Please respond to banner. MYPASSWORD

I ran into the same difficulty try to use Cisco AnyConnect from Mac OS X Terminal. To get the Cisco vpn command to take its input from standard input, you have to specify the -s option, which puts the Cisco vpn command into interactive mode. Then you can provide the responses that you give in interactive mode.

The responses that you need to give depend upon how the VPN server administrator has configured the server. For me, the vpn interactive prompts are

Group: Username: Password: Blah, blah, blah, . accept? :

So the command that I run is

$ /opt/cisco/anyconnect/bin/vpn -s connect vpn.example.com

(The quotes around EOF are to prevent command/parameter expansion/substitution in the following input.)

The exit at the end is to exit the Cisco vpn interactive mode.

You can put your connection info in a separate file, e.g.

connect [HOST] [GROUP or 0 or 1] [USER] [PASSWORD] y exit 
/opt/cisco/anyconnect/bin/vpn -s < anyconnect.txt

Hi @Dan, is it also possible to parse the 2nd password? I need to give a 2nd password 'push', which directs anyconnect client a push notification on my phone. While adding 'push' next to the [PASSWORD] line made the vpn client send a push notification to my phone, the client doesn't accept it and I don't know why. Below is my log . Username: [. ] Password: [. ] Second Password: >> notice: Hostscan is performing system scan >> notice: Hostscan is performing software scan >> notice: Hostscan state idle >> notice: Hostscan is waiting for the next scan >> Login failed.

I like to simplify the command line, so I use the above approach in a shell script named gotowork. As above, I need to provide the group, my user name, and a passkey composed of a private PIN plus a RSA SecurID passcode. I don't have to answer the above "accept?" question. Everything but the RSA passcode is in the script, so the command line is

I have to run it as root. Assume the PIN is 1234. The script essentials:

# put the interactive answers into a text file echo -e "0\nusername\n1234$1\n" > /tmp/answers.txt # find the path to the anyconnect executables ciscopath="$(dirname $(find /opt/cisco -depth -name vpnagentd))" # make sure the anyconnect daemon is running [ $(pidof vpnagentd) ] || $ciscopath/vpnagentd # connect $ciscopath/vpn -s < /tmp/answers.txt connect remote.mycompany.com

Using anyconnect 3.1.05170. Tested on Debian 6, LinuxMint 17

@A-B-B That's just saying output a zero 0 , followed by a newline \n followed by username, followed by a newline \n etc.

@A-B-B When running interactively and your connection uses groups, the possible groups will be enumerated. 0 then means "use the first group".

Nice one. I did not like providing pin and token via plaintext, so i altered the script as follows: echo -n "Enter PIN :"; read -s PIN; echo; echo -n "Enter RSA token: "; read -s TOKEN; echo -e "0\nusername\n$PIN$TOKEN\n" > /tmp/answers.txt . As well as rm /tmp/answers.txt at the end of the file

This is what worked for me on OSX El Capitan. Placeholders are surrounded by [square braces].

/opt/cisco/anyconnect/bin/vpn -s connect [HOST_ADDRESS]  
/opt/cisco/anyconnect/bin/vpn disconnect

*I know this is similar to Peter S.'s answer above.

This worked for me in one command for El Capitan, printf "y\n[GROUP]\n\n[PASSWORD]\ny\n" | /opt/cisco/anyconnect/bin/vpn -s connect HOST

I had to enter a two-step code, so I had to use the following template.

connect host username pass twostep y exit

On Mac (Ventura 13.2.1) I wanted to integrate keychain and two-step together so I made the following script. It retrieves the key used for two-step, uses python OTP library to get the two-step code, and also uses keychain to get the password. Then connects to Cisco Connect.

Note that first you need to create the keychain entries as described in the blog referred below. Maybe for testing you can initially hardcode key and password .

Make sure to edit [Username] and [Host]. I had them hardcoded rather than keychain on Mac.

import time import pyotp import subprocess key = subprocess.check_output("security find-generic-password -w -a $LOGNAME -s key", shell=True)[:-1].decode("utf-8") uri = pyotp.totp.TOTP(key).provisioning_uri() totp = pyotp.TOTP(key) key = totp.now() print(key) password = subprocess.check_output("security find-generic-password -w -a $LOGNAME -s key_password", shell=True)[:-1].decode("utf-8") output = subprocess.check_output(f"/opt/cisco/anyconnect/bin/vpn -s connect [Host] \n\ny\nEOF", shell=True) print(output)

Steps to create keychain items :

  1. Add otp_key to keychain :
  • security add-generic-password -T "" -a $LOGNAME -s [hostname_otp] -w [otp_key]
  1. Add password of host :
  • security add-generic-password -T "" -a $LOGNAME -s [hostname_username] -w [host_password]

Steps to retrieve saved key and password :

  1. Retrieve host's otp_key
  • security find-generic-password -w -a $LOGNAME -s [hostname_otp]
  1. Retreive password of hostname_username
  • security find-generic-password -w -a $LOGNAME -s [hostname_username]

This will make sure that there is an extra step to connecting to host, i.e. retrieving secret info from keychain after providing the password, rather than hardcoding in a file.

Источник

How To Connect To VPN Server with Cisco AnyConnect from Linux Terminal

Proceed with the way that how to Connect to VPN Server with Cisco AnyConnect from Linux Terminal. It’s easy to connect from desktop but this article help those who want to use Command line Interface. We have already covered how to Connect VPN from desktop. Let’s start with these steps to continue

Connecting to VPN Server with Cisco AnyConnect from Linux Terminal

Run the given command to check the status of being installed Cisco AnyConnect from the previous guide.

$ ls /opt/cisco/anyconnect/bin/ 
total 3.7M 
-rwxr-xr-x. 1 root root 14K Dec 29 03:26 acinstallhelper 
-rwxr-xr-x. 1 root root 783K Dec 29 03:26 acwebhelper 
-rwxr-xr-x. 1 root root 688 Dec 29 03:26 anyconnect_uninstall.sh 
-rwxr-xr-x. 1 root root 315 Dec 29 03:26 load_tun.sh 
-rwxr-xr-x. 1 root root 506K Dec 29 03:26 manifesttool 
drwxr-xr-x. 2 root root 4.0K Dec 29 03:26 plugins 
-rwxr-xr-x. 1 root root 76K Dec 29 03:26 vpn 
-rwxr-xr-x. 1 root root 999K Dec 29 03:26 vpnagentd 
-rwxr-xr-x. 1 root root 418K Dec 29 03:26 vpndownloader 
-rwxr-xr-x. 1 root root 398K Dec 29 03:26 vpndownloader-cli 
-rwxr-xr-x. 1 root root 487K Dec 29 03:26 vpnui 
-rwxr-xr-x. 1 root root 9.2K Dec 29 03:26 vpn_uninstall.sh

Check out the vpn connection script command options:

$ /opt/cisco/anyconnect/bin/vpn --help 
Usage: vpn [options] | [cmd] [host] options: -h Print this usage statement. -v Print version. -s Read commands from response file to work non-interactively. Example: vpn -s < response.txt commands: [connect|disconnect|hosts|state|stats]

See the connection example

$ /opt/cisco/anyconnect/bin/vpn -s connect 192.168.10.10

Allow untrusted connections upon Prompt & provide user details to login to VPN

Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved. 
state: Disconnected 
state: Disconnected 
notice: Ready to connect. 
registered with local VPN subsystem. 
contacting host (192.168.10.10) for login information… 
notice: Contacting 192.168.10.10. 
AnyConnect cannot verify server: 192.168.10.10 
- Certificate does not match the server name. 
Connecting to this server may result in a severe security compromise! 
Most users do not connect to untrusted servers unless the reason for the error condition is known. 
Connect Anyway? [y/n]: y 
Please enter your username and password. 
Username: sabi0329 
Password: xxxxxxxx 
Second Password:

The connection should be initiated if correct credentials were provided.

state: Connecting 
notice: Establishing VPN session… 
Connection will be established if you have provided the correct credentials. 
state: Connecting 
notice: Establishing VPN session… 
The AnyConnect Downloader is analyzing this computer. Please wait… 
Initializing the AnyConnect Downloader… 
The AnyConnect Downloader is performing update checks… 
notice: The AnyConnect Downloader is performing update checks… 
notice: Checking for profile updates… 
notice: Checking for product updates… 
The AnyConnect Downloader updates have been completed. 
Please wait while the VPN connection is established… 
notice: Checking for customization updates… 
notice: Performing any required updates… 
notice: The AnyConnect Downloader updates have been completed. 
state: Connecting 
notice: Establishing VPN session… 
notice: Establishing VPN - Initiating connection… 
notice: Establishing VPN - Examining system… 
notice: Establishing VPN - Activating VPN adapter… 
notice: Establishing VPN - Configuring system… 
notice: Establishing VPN… 
state: Connected
$ /opt/cisco/anyconnect/bin/vpn state 
Cisco AnyConnect Secure Mobility Client (version 4.7.01076) . 
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved. 
state: Connected 
state: Connected 
state: Connected 
registered with local VPN subsystem. 
VPN>

Pull connection stats by typing

$ /opt/cisco/anyconnect/bin/vpn stats

How To Disconnect VPN

Use the following command to disconnect VPN.

$ /opt/cisco/anyconnect/bin/vpn -s disconnect 192.168.10.11

Note: Replaces IP with your VPN Server IP address.

Automate VPN Connection from CLI

To create an automatic connection, make a script first creating user details.

$ vim ~/.vpn_creds 
username 
Password 
y

Set up username, password in the file. Then create a script file like below:

$ vim vpn_connect.sh
!/bin/bash

VPN_SERVER="192.168.10.10"

echo "Connecting to VPN.."
/opt/cisco/anyconnect/bin/vpn -s < ~/.vpn_creds connect $

Now, make the script executable to run because without executable it wouldn’t run.

Now, run the script to Connect to your VPN

$ ./vpn_connect.sh 
Connecting to VPN.. 
Cisco AnyConnect Secure Mobility Client (version 4.7.01076) . 
Copyright (c) 2004 - 2019 Cisco Systems, Inc. All Rights Reserved. 
state: Disconnected 
state: Disconnected 
notice: Ready to connect. 
registered with local VPN subsystem. 
contacting host (192.168.10.10) for login information… 
notice: Contacting 192.168.10.10. 
Please enter your username and password. 
Username: [jkmutai] jmutai 
Password: 
state: Connecting 
notice: Establishing VPN session… 
The AnyConnect Downloader is analyzing this computer. Please wait… 
Initializing the AnyConnect Downloader… 
The AnyConnect Downloader is performing update checks… 
notice: The AnyConnect Downloader is performing update checks… 
notice: Checking for profile updates… 
notice: Checking for product updates… 
notice: Checking for customization updates… 
The AnyConnect Downloader updates have been completed. 
notice: Performing any required updates… 
Please wait while the VPN connection is established… 
notice: The AnyConnect Downloader updates have been completed. 
state: Connecting 
notice: Establishing VPN session… 
notice: Establishing VPN - Initiating connection… 
notice: Establishing VPN - Examining system… 
notice: Establishing VPN - Activating VPN adapter… 
notice: Establishing VPN - Configuring system… 
notice: Establishing VPN… 
state: Connected

Источник

Читайте также:  Linux примонтировать удаленную папку
Оцените статью
© 2023 Posetke
Adblock
detector