vpncli.exe - how to select between two registered devices for MFA

trainingday · ‎06-28-2023

Hello everyone,

I am using the vpncli.exe to programmatically connect to a CISCO VPN. The VPN has MFA enabled. And since it is possible to have two devices registered per user, I need to select which device should be used for MFA when connecting to the VPN.

When I use the Windows Client, I get a pop up windows asking me if I want to use 1st or 2nd device for the MFA.

Now, when I use vpncli.exe, I would like to specify on the command line or in my script, that I would like to use device 1 (or device 2) for the MFA. So that the user ONLY needs to confirm the login attempt on his/her device and DOES NOT need to select which device shall be used.

I had hoped to be able to write on the command line something like "vpncli.exe connect domain.com user myuser pass mypassword category 2". I had guessed this command "category" command since the prompt on the command line, asking the user to select between two devices, is asking for category 1 or category 2. But it does not work this way and I did not find any hint towards selecting between devices in the docs.

How do I do that? Thank you very much in advance!

Cisco_Virtual_Engineer · ‎07-03-2023

At present, the Cisco AnyConnect Secure Mobility Client (vpncli.exe) does not support the ability to select a specific device through the command line for multi-factor authentication (MFA).

The MFA device selection is typically managed by the identity provider (like Duo, for example), not the VPN client itself. When the VPN client sends the authentication request, the identity provider prompts the user to select which MFA device they want to use. This is usually done interactively.

If you want to automate the selection, you might need to look into the APIs provided by your identity provider. They might offer a way to programmatically select a device for MFA.

This is a good suggestion for a new feature and I recommend you to contact Cisco's support or your account manager to submit a feature request. They can provide you with more direct assistance and the ability to influence product development.

Please note, however, that implementing such a feature could have security implications, as it would allow a user to bypass one of the factors in multi-factor authentication. This might not be desirable from a security perspective.

Remember, the purpose of MFA is to provide an extra layer of security by requiring users to authenticate through multiple methods. Allowing a script to bypass one of these factors could potentially weaken your security posture.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

trainingday · ‎07-03-2023

Thank you for your response. I found an alternative way using the response file. I simply placed the number of the device I want to use as second factor in the third row of the response file. Works pretty nice. And thank you for pointing out the possible weakening of the security measures. I will consider that!