• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4079
  • Last Modified:

Cisco VPN Client Logon Automation

Hello.
I am attempting to auotmate the Cisco VPN logon process through a .bat file.  
I know I should be running the C:\Program Files\Cisco Systems\VPN Client>vpnclient.exe, and have written the script as:
cmd.exe /c "C:\Program Files (x86)\Cisco Systems\VPN Client\vpnclient.exe"

But I am not sure what I need to do to get the profile, username, password as well as the additional user authentication password entered.

Any help would be greatly apprectiated.

Thank you.
0
lcros
Asked:
lcros
  • 9
  • 7
  • 7
  • +2
1 Solution
 
MikeKaneCommented:
The user logon process can not be automated unless you use certificates.  

Quote from cisco's FAQ:
Q. Can the VPN Client automatically login/authenticate to the security appliance using the Windows credentials, thus not requiring user interaction?
A. No this is not supported. We recommend you use digital certificates for authenticating the VPN session without the need for enduser interaction.

Reference: https://supportforums.cisco.com/docs/DOC-1296;jsessionid=FF0B0AB145E4705F5F94777835BB846B.node0#Q_Can_the_VPN_Client_automatically_loginauthenticate_to_the_security_appliance_using_the_Windows_credentials_thus_not_requiring_user_interaction

 
0
 
RPPreacherCommented:
The profile is a .pif file located in c:\program files\cisco\cisco vpn\profiles (I think... doing this from memory).

The easiest way is to set up a profile using the Cisco client, then copy the PIF, open it in notepad, edit it and save it.

Easy cheesy.
0
 
RPPreacherCommented:
Just checked.  On Windows 7 x64, the path is

C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles

And it's PCF not PIF (my bad).

[main]
Description=Sample for EE
Host=1.2.3.4
AuthType=1
GroupName=username
GroupPwd=
enc_GroupPwd=1CD9D5B81D267CDAA691A85425A335BDC6D2812FA0B0688674B02F5736AE9E760CD4BADB8D36626FBE42FAEC6A205B6362AD46FA4F3C56DD
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
yuliang11Commented:
hi,
 the command would be


You have entered an unrecognized command.
Usage:
 vpnclient connect <profile> [user <username>] [eraseuserpwd | pwd <password>]
                             [nocertpwd] [cliauth] [stdin] [sd]
 vpnclient disconnect
 vpnclient stat [reset] [traffic] [tunnel] [route] [firewall] [repeat]
 vpnclient notify
 vpnclient verify [autoinitconfig]
 vpnclient suspendfw
 vpnclient resumefw
0
 
yuliang11Commented:
in your batch script just use



vpnclient connect <profile>  [user <username>]  [pwd <password>]

hope that helps :D
0
 
RPPreacherCommented:
>in your batch script just use...

<sarcasm>Great job copying information in his original question...  brilliant...</sarcasm>
0
 
yuliang11Commented:
dear PPPreacher,
 i haven't sleep for days trying to troubleshoot something, sorry as english is not my first language. i think he's asking how to get his profile,username & password entered.


<sarcasm>i know you have a very good english and briiliant....</sarcasm>
0
 
lcrosAuthor Commented:
Hello.
@ yuliang11...I think you're on the right track...this is what I've found on other sites, but am not sure how to write the command into the .bat file.

I've tried the following, but it's not recognizing the 2nd part as a command.  I think there is something I need to enter first, but am not sure what....

cmd.exe /c "C:\Program Files (x86)\Cisco Systems\VPN Client\vpnclient.exe"
vpnclient connect <profile>  [user <username>]  [pwd <password>]

The error message states...
'vpnclient' is not recognized as an internal or external command.
0
 
RPPreacherCommented:
Don't worry about the cmd.exe /c
Just the c:\... part...
0
 
lcrosAuthor Commented:
Thanks.  I think I'm getting there...I think I've got the username/password formatted incorrectly...
When I enter the profile, username, & password, do i completely get rid of the <> and []
0
 
RPPreacherCommented:
Yes.
0
 
lcrosAuthor Commented:
I'm still getting an error...
Do I enter the username/pw info on the same line as the path to run the vpnclient.exe?
No matter whether I enter on the same line or the next line, I get an "unrecognized command" error.
It seems to be running the vpnclient.exe, but is not liking what I'm trying to enter for the username/pw

I tried running in dos, entering the path to vpnclient.exe and then entering the username/password line at the next command prompt, but am getting the same error.
0
 
RPPreacherCommented:
C:\Program Files (x86)\Cisco Systems\VPN Client\vpnclient.exe" connect "c:\Program Files (x86)\Cisco Systems\VPN Client\Profiles\SAMPLE.pcf" user USERNAME pwd PASSWORD

This is not that hard to set up.
0
 
lcrosAuthor Commented:
I agree that it shouldn't be that hard to set up.  Thanks for being patient with me.
I used your setup and added the sample.pcf, username, and password.
I'm still getting an error...
The profile specified could not be read, however I know I've got the path and name correct.
0
 
RPPreacherCommented:
It's probably because you don't have permissions to that directory.  Try putting the PCF in a common location that you have full rights to.
0
 
lcrosAuthor Commented:
I'm still getting the same error.  Here's the entire screen with my personal info changed...

C:\Users\Work\Desktop>"C:\Program Files (x86)\Cisco Systems\VPN Client\vpnclient.exe" connect "C:\Users\Work\Desktop\Test.pcf" user SAMPLEUSER pwd SAMPLEPWD
Cisco Systems VPN Client Version 5.0.07.0240
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.0.6002 Service Pack 2
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

The profile specified could not be read..
0
 
yuliang11Commented:
I agree that it shouldn't be that hard to set up.  Thanks for being patient with me.
I used your setup and added the sample.pcf, username, and password.
I'm still getting an error...
The profile specified could not be read, however I know I've got the path and name correct.



1) I think u should create the profile from the VPNclient instead of editing it from the notepad.

0
 
yuliang11Commented:
RPPreacher:
C:\Program Files (x86)\Cisco Systems\VPN Client\vpnclient.exe" connect "c:\Program Files (x86)\Cisco Systems\VPN Client\Profiles\SAMPLE.pcf" user USERNAME pwd PASSWORD



<sarcasm>Great job copying information from my answer..  brilliant...</sarcasm>
0
 
yuliang11Commented:
hi lcros,

1) Create the profile from VPN gui, make sure it's working first before using the command line.

2) To make sure there are no OS issues, i suggest you so install VPN-client on another computer with full administrator rights t.


the batch script worked like a charm here ;)
0
 
lcrosAuthor Commented:
I'm still not able to get this to work...I have no problems connecting using the VPN gui, but can't connect using the script.  
Do you have any other suggestions?  Where do you have the .pcf stored?
When I connect with the GUI, I am prompted to enter the user authentication, which pre-fills the username, but I need to manually enter the password.  Does this mean I should be entering another username and password in the script as well?
0
 
yuliang11Commented:


When I connect with the GUI, I am prompted to enter the user authentication, which pre-fills the username, but I need to manually enter the password.

1) this is right

Does this mean I should be entering another username and password in the script as well?

2) this should work


i'm wondering if your script is right, could you send a version /hash out password as password
to me to verify ? or you can paste it in here
0
 
lcrosAuthor Commented:
Thanks, yuilang11.
Here's my script with the username and password dummied up...

"C:\Program Files (x86)\Cisco Systems\VPN Client\vpnclient.exe" connect "C:\Program Files (x86)\Cisco Systems\VPN Client\Profiles\Her_LNC.pcf" user VPN2 pwd Her
0
 
QlemoDeveloperCommented:
The only way I got that working is by entering the password in the GUI, write-protect the PCF file afterwards, and use vpnclient without password supplied on commandline. As soon as I provide the password with vpnclient, the connection cannot be established. I'm only providing the profile name (stored in the PCF), not the PCF itself.
0
 
lcrosAuthor Commented:
Hello.  I still need help with this...am just waiting for someone who can help me.  I need to be out of my office for the next few days, but would really appreciate any assistance that can be provided.
0
 
lcrosAuthor Commented:
Hello.  I still need help with this...am just waiting for someone who can help me.  I need to be out of my office for the next few days, but would really appreciate any assistance that can be provided.
0
 
QlemoDeveloperCommented:
I tried again, back and forth, and as soon as you provide the password on commandline, the vpnclient.exe "hangs" until the connection is terminated. The connection is working, though. Being in the Cisco folder, I use:
vpnclient connect MyProfile user MyUser pwd MyPwd stdin
(I do not provide the path and file name, only the profile name, as you can see). If I omit the pwd parameter, vpnclient returns after success (with return code 200, which is "connected"). So the following choices are available:
Approach 1
If you use the above command this means that the process (e.g. batch file of Scheduled Tasks) would remain active until termination of the connection (with a second batch file or shortcut, calling vpnclient disconnect).

Approach 2
Write password in plain text into the PCF file (UserPassword=YourPasswordHere). Write-protect the file. Then use
vpnclient connect MyProfile user MyUser stdin
(stdin just shows you the results, you can omit it if you like).
Since you have write-protected the file, the password remains, but in plain text.

Approach 3
If you don't want the password in plain text, change the PCF:
SafeUserPassword=1  Username=MyUser  UserPassword=MyPasswordand use the GUI once for logging in. Check if the UserPassword is now empty, and enc_UserPassword is filled out instead. Then write-protect the file. Disconnect, and kill the GUI (if necessary). After that you can use vpnclient as shown in Approach 2 without further issues, you can even omit the user parameter, as that should be part of the PCF already.

Approach 4
Use vpngui resp. ipsecdialer (doesn't matter which):
ipsecdialer -c -sd -user MyUser -pwd MyPwd MyProfile
That will start the GUI, give visual feedback aso, but lasts longer than with vpnclient.

Approach 5
Use the free ShrewVPN instead (www.shrew.net). It can (does) import PCF files into registry, and you can provide user and password on command line without issues.
ipsecc -r MyProfile -u MyUser -p MyPwd -a

0
 
QlemoDeveloperCommented:
Whether the asker returns or not, this question (my answer) has still PAQ value. One of the alternatives I've shown will fit in the current environment for sure, and all of them are helping other seekers.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 9
  • 7
  • 7
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now