KB ID 0001353
Problem
I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked.
After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.
Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.
Solution
1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.
Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.
Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.
2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.
3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.
4. Edit your policy.
5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.
6. Save the changes > Apply > File > Save Running Configuration to Flash.
Troubleshooting AnyConnect OnConnect / Logon Scripts
If theres a problem (i.e. it does not work.) Your first task is to make sure the client got the script, it saves it in the following location.
%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script
Connect your AnyConnect client, then execute each of the commands in the script locally to see why it’s not working.
Related Articles, References, Credits, or External Links
NA