Cisco AnyConnect – Running ‘Logon Scripts / OnConnection Scripts’

KB ID 0001353

Problem

I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked. 

After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.

Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.

Solution

1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.

Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.

Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.

AnyConnect Script

2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.

ASDM Import AnyConnect Script

3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.

ASDM Create AnyConnect Profile

4. Edit your policy.

ASDM Edit AnyConnect Profile

5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.

ASDM AnyConnect Logon Script

6. Save the changes > Apply > File > Save Running Configuration to Flash.

ASDM Save Changes

Troubleshooting AnyConnect OnConnect / Logon Scripts

If theres a problem (i.e. it does not work.) Your first task is to make sure the client got the script, it saves it in the following location.

%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script

AnyConnect Script Troubleshooting

Connect your AnyConnect client, then execute each of the commands in the script locally to see why it’s not working.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

22 Comments

  1. Will this work with Windows 10?

    Post a Reply
    • will this work on an FTD?

      If so, is there documentation?

      Thanks

      Post a Reply
      • Great Question: I’ve not tried it, but its not on my list of things to investigate!

        Post a Reply
  2. Hi Pete,

    is it possible to import 2 onconnect scripts to the ASA?
    one for windows anyconnect client and one for mac.
    how to make differentiation?
    if windows anyconnect client connects then install windows script.
    if mac anyconnect client connects then install mac script.

    Thx in advance

    Post a Reply
    • TBH I’ve never tried with mac, so I could not comment.

      Post a Reply
  3. Path provided under “Troubleshooting” section (%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect VPN Client\Script) does not match the path shown in the screenshot.
    The path in the screenshot is the correct path…
    %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script

    Post a Reply
  4. Where can I download Cisco ASDM

    Post a Reply
    • Connect to the firewalls http URL 🙂

      Post a Reply
      • Thank you,

        So the script downloads but either doesn’t run or takes a very long time. Any idea why?

        Post a Reply
        • It should only need to download once? I suppose it depends on what’s in the script! In these situations I tend to comment out all the lines in the script – put a simple echo / pause on the end then re-enable the script one line at a time.

          Post a Reply
          • This is all I have in the script.

            net use h: \\fileshare\home\%username% /persistent:Yes
            gpupdate /force /target:user

            The H drive never loads, and the user’s drives that map via GPO will map after about 5 minutes. It’s really weird. If I browse to the directory and launch the script, it will load the H drive instantly.

            I’ll keep playing with it, was just curious if you had any input.

            Thank you very much!

          • is ‘fileshare’ the server name?

  5. Is there a way to ensure the “disconnect” script runs before the VPN tunnel is dropped so that if we want to write data to a server it can write that before the tunnel disconnects?

    Post a Reply
  6. Hi Pete!

    Thanks for this article! It helps…

    …but whats about with e.g. the “net use” after the AnyConnect client wants me to change my AD pwd? This will not work, because the Win-Client still uses the cached credentials.

    Is there a way to start a script only after a pwd exchange?
    The idea is to force the user lock (rundll32.exe user32.dll, LockWorkStation).

    Or is there a way to detect the pwd exchange in the main login script? But I would need this in different output languages…
    E.g. to check out the different between two date with “net users %username% /domain” and search for “Passwort expires”, “Kennwort läuft ab” or other languages is different and not so easy. 🙁

    Thanks in advance!

    Post a Reply
  7. Hi,
    Is it possible to get Client OS version without having Cisco ANyconnect APEX version, I mean if we run any script that will report back to firewall or store this incormation in a network share. So that we can make a list of computers which are running WIndows 7.

    Post a Reply
  8. Hi Pete,

    very nice article, thank you very much!!

    I have question, Is there a way I can use the same script to pass the credentials which I use to login to VPN to access share folders. Basically single sign on.

    Post a Reply
    • Honestly I’m not sure; You can use %username% In a script and your endpoint will resolve it (assuming you are authenticated as a domain user), but passwords are another matter, and if you frequently change them then it will break?

      Post a Reply
  9. Hi folks,
    First of all, I would like to thank you for the article

    I have tried to follow these steps but when I click “Ok” on the 3rd screenshot step appear a message below and I can not edit. Could you help me?

    “Input is not a well-formed schema-compliant xml file. Invalid or unknown schema.”

    ASA 9.6(4)3 – ASDM 7.9(1)

    Post a Reply
  10. Hi Pete, Great article. Have you ever done this with a Mac?

    Post a Reply
    • Hi Jeff, I’ve not tried it with a Mac! And TBH I would be the best bet to ask! Looks like a question for TAC or the Cisco Security Forum. Sorry m8.

      Post a Reply
  11. Hi, thanks for nice tutorial!
    In my case, the script is downloaded and probably executed, but the issue seems to be that it lack admin privileges. I have to execute it manually in order to make it work. How do I make the script to be executed with necessary privileges?

    Thanks,
    Jan

    Post a Reply

Leave a Reply to Clint Cancel reply

Your email address will not be published. Required fields are marked *