KB ID 0001353
Problem
I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked.
After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.
Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.
Solution
1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.
Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.
Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.
2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.
3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.
4. Edit your policy.
5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.
6. Save the changes > Apply > File > Save Running Configuration to Flash.
Troubleshooting AnyConnect OnConnect / Logon Scripts
If theres a problem (i.e. it does not work.) Your first task is to make sure the client got the script, it saves it in the following location.
%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script
Connect your AnyConnect client, then execute each of the commands in the script locally to see why it’s not working.
Related Articles, References, Credits, or External Links
NA
22/05/2018
Will this work with Windows 10?
22/05/2018
Yes 🙂
15/04/2020
will this work on an FTD?
If so, is there documentation?
Thanks
16/04/2020
Great Question: I’ve not tried it, but its not on my list of things to investigate!
24/05/2018
Hi Pete,
is it possible to import 2 onconnect scripts to the ASA?
one for windows anyconnect client and one for mac.
how to make differentiation?
if windows anyconnect client connects then install windows script.
if mac anyconnect client connects then install mac script.
Thx in advance
25/05/2018
TBH I’ve never tried with mac, so I could not comment.
21/06/2018
Path provided under “Troubleshooting” section (%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect VPN Client\Script) does not match the path shown in the screenshot.
The path in the screenshot is the correct path…
%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script
16/11/2018
Where can I download Cisco ASDM
20/11/2018
Connect to the firewalls http URL 🙂
22/04/2019
Thank you,
So the script downloads but either doesn’t run or takes a very long time. Any idea why?
23/04/2019
It should only need to download once? I suppose it depends on what’s in the script! In these situations I tend to comment out all the lines in the script – put a simple echo / pause on the end then re-enable the script one line at a time.
23/04/2019
This is all I have in the script.
net use h: \\fileshare\home\%username% /persistent:Yes
gpupdate /force /target:user
The H drive never loads, and the user’s drives that map via GPO will map after about 5 minutes. It’s really weird. If I browse to the directory and launch the script, it will load the H drive instantly.
I’ll keep playing with it, was just curious if you had any input.
Thank you very much!
23/04/2019
is ‘fileshare’ the server name?
26/04/2019
Is there a way to ensure the “disconnect” script runs before the VPN tunnel is dropped so that if we want to write data to a server it can write that before the tunnel disconnects?
27/05/2019
Hi Pete!
Thanks for this article! It helps…
…but whats about with e.g. the “net use” after the AnyConnect client wants me to change my AD pwd? This will not work, because the Win-Client still uses the cached credentials.
Is there a way to start a script only after a pwd exchange?
The idea is to force the user lock (rundll32.exe user32.dll, LockWorkStation).
Or is there a way to detect the pwd exchange in the main login script? But I would need this in different output languages…
E.g. to check out the different between two date with “net users %username% /domain” and search for “Passwort expires”, “Kennwort läuft ab” or other languages is different and not so easy. 🙁
Thanks in advance!
12/04/2020
Hi,
Is it possible to get Client OS version without having Cisco ANyconnect APEX version, I mean if we run any script that will report back to firewall or store this incormation in a network share. So that we can make a list of computers which are running WIndows 7.
15/05/2020
Hi Pete,
very nice article, thank you very much!!
I have question, Is there a way I can use the same script to pass the credentials which I use to login to VPN to access share folders. Basically single sign on.
18/05/2020
Honestly I’m not sure; You can use %username% In a script and your endpoint will resolve it (assuming you are authenticated as a domain user), but passwords are another matter, and if you frequently change them then it will break?
25/06/2020
Hi folks,
First of all, I would like to thank you for the article
I have tried to follow these steps but when I click “Ok” on the 3rd screenshot step appear a message below and I can not edit. Could you help me?
“Input is not a well-formed schema-compliant xml file. Invalid or unknown schema.”
ASA 9.6(4)3 – ASDM 7.9(1)
29/09/2020
Hi Pete, Great article. Have you ever done this with a Mac?
30/09/2020
Hi Jeff, I’ve not tried it with a Mac! And TBH I would be the best bet to ask! Looks like a question for TAC or the Cisco Security Forum. Sorry m8.
14/02/2021
Hi, thanks for nice tutorial!
In my case, the script is downloaded and probably executed, but the issue seems to be that it lack admin privileges. I have to execute it manually in order to make it work. How do I make the script to be executed with necessary privileges?
Thanks,
Jan