Code ExchangeSearchRepository

Autoconnect Script for Cisco AnyConnect VPN on macOS

Why should I care?

If you use Cisco's VPN solution, AnyConnect, to connect to VPN into your corporate network, you know how the process goes:

  1. Pick the VPN server you want to connect to
  2. Wait for the username and password promot
  3. Enter your credentials

Then, if your company uses MFA (Multi Factor Authentication) to strengthen the authentication process - like Cisco Duo, this happens:

  1. Wait for the MFA prompt to open
  2. Confirm the notification you received on your phone from the MFA app
  3. Wait for the VPN connection to start
  4. Accept the Banner information that might be presented to you by Cisco AnyConnect VPN

These steps alone can waste up to 10 minutes of your time, in case of a non-optimal internet connection.
Now consider your credentials, in particular your password. If you are a security-concious person, or your company set a strong password policy, you might find yourself having to type something like 6k^lW7$ZDsdlQL&B every time you want to connect to the VPN, which might happen a few times during the day.

The whole process is prone to erros and waste of time. So what can you do?

Speed up the process, maintain the highest security standards

Security should not come at the price of ease of use, and the same should be true the other way around.
The simpler something is to use, the more secure it is.

This automation script is built on top of these concepts.
The repository contains the source code of the script that will automate the connection and authentication process of Cisco AnyConnect VPN with Duo.

The script automatically fetches, securely from the KeyChain, the correct credentials and setup the VPN connection. If Duo is used as MFA, a notification will be sent to your device. Once you confirm the notification the connection will be completed and up and running.

Can I take advantage of this?

These are the requirements necessary:

  • macOS version 10.7 or higher
  • Cisco AnyConnect must have Start VPN when AnyConnect is started enabled (see below)

  • Users are presented with the following login prompt after selecting the VPN connection

# How to use it?
You have two options:

  • Turn it into an application
  • Keep it as a script

Let's start with the first option: TURN IT INTO AN APPLICATION

  1. Open the script source code file anyconnect.scpt with Script Editor (which is the default program used).
  2. On the top menu, select File, then Export...
  3. In the pop-up window, make sure to select Application for File Format:, and Sign to Run Locally for Code Sign:
  4. (BONUS) You want to use a different icon from the stock one? Follow the steps below to extract the icon from another app and use it:

Once you have your application compiled and ready:

  1. Open Security & Privacy System Preferences, go to Privacy, then Accessibility.
  2. Enable the application you just created to access Accessibility
  3. (BONUS) Add the application to /Users/[yourhostname]/Applications and then to the Dock
  4. Run the application again to close the connection

Now for the second option: KEEP IT AS A SCRIPT

  1. Open the script source code file anyconnect.scpt with Script Editor (which is the default program used).
  2. On the top menu, select Script Editor, then click Preferences
  3. In the pop-up window, make sure to select Show Script menu in menu bar for Script Menu:
  4. Save the script in your user's Scripts folder (/Users/[yourhostname]/Library/Scripts)

Once you have saved the script inside your user's script folder:

  1. Open Security & Privacy System Preferences, go to Privacy, then Accessibility.
  2. Enable Script Menu
  3. (OPTIONAL) Enable Script Editor. This is required if you want to run the script from the Script Editor.
  4. Select the scroll looking icon in the top menu and click on the script you saved.

Known issues

  • macOS Big Sur: If you recently updated to macOS Big Sur, and you haven't done so yet, you might need to reset the SMC. Here is a link on how to do that.

Extra tips for Cisco employees

If you are a Cisco employee, you can simply update the code as follows:

  • update line 42 to: set inString to "blizzard"
  • use your Cisco email as the username. If your corporate email is mrossi@cisco.com, then simply update line 43 to: set username to "mrossi@cisco.com"
View code on GitHub

  • Owner

    ccommunikein

  • Contributors

    +5Github contributors

  • Categories

  • Products

    Duo

  • Programming Languages

    AppleScript

  • License

    BSD 3-Clause "New" or "Revised" License
Related code repos

    Code Exchange Community

    Get help, share code, and collaborate with other developers in the Code Exchange community.View Community
    Disclaimer:
    Cisco provides Code Exchange for convenience and informational purposes only, with no support of any kind. This page contains information and links from third-party websites that are governed by their own separate terms. Reference to a project or contributor on this page does not imply any affiliation with or endorsement by Cisco.