cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25381
Views
32
Helpful
8
Replies

Cisco Anyconnect VPN Onconnect Scripts Using Powershell

rfranzke
Level 1
Level 1

Hello All. Has anyone tried using the onconnect scripting tools for ASA Anyconnect VPNs using Windows Powershell scripts? Trying to deploy a script which starts an RDP session after connecting to the VPN. Script works locally fine, and downloads through Anyconnect, but cannot execute. The issue is that Windows will not run PS scripts from the current directory by default. Need to use .\scriptname.ps1 to get them to run. If anyone knows the trick to getting PS to run via Anyconnect onconnect tools I would appreciate the help. Options are

 

get anyconnect to run the script using .\ in front of the command or

use a batch file to call the PS script.

 

I am told you can have scripts call other scripts using the onconnect tools, but have not been able to find a single example of how to get it to work. Thanks in advance for the help.

1 Accepted Solution

Accepted Solutions

I know this is somewhat old now, but I wanted to add how I ended up finally fixing this. Originally what I did was create a batch script that was executed when a user logged into the VPN. This batch script would connect to a Windows share on our internal network, copy down a PowerShell script along with the related support files to the users local machine. The batch would then execute the PowerShell script that was downloaded. This worked fine initially and got the desired result. We recently replaced the NAS device this share was hosted on which for whatever reason resulted in certain clients being unable to access the share and thus download the PowerShell script for execution. Some clients have differing AV clients which might block files from being downloaded. Just became too unreliable. I searched for a different way and finally came up with the fix which as it turns out so much less complicated than the way I was originally trying to do this. I ended up configuring the ASA device to use two different scripts for Windows clients when they log in. First I configured one script for use on the ASA, and then configured a second script for use on the ASA for VPN Onconnect execution. So what happens here is that when an AnyConnect client connects to the VPN, the ASA actually automatically downloads two different scripts to the clients local hard drive. One script is just a batch script that just has code in it to execute the second script, which is my PowerShell code. Since the ASA is configured to use two scripts, each one gets downloaded to the local client. No more having to connect to a share to copy the files, potentially exposing passwords or perhaps not being able to download the files needed at all from the share. Whats more, is that the scripts get downloaded anytime they are changed. If you make a change to the scripts, you just re-upload them to the ASA, re-configured the VPN configuration to use them, and your changes get re-downloaded to the client upon connecting to the VPN. Then its just a matter of having the batch script call the PowerShell script in the path it gets downloaded to by the ASA. 

 

I had originally tried this method, and the ASA would download both scripts, but I could never get the PowerShell one to execute. It seemed as though the ASA was confused about which script to execute when there were two of them, or that it was executing the PowerShell script first which would never work because its PowerShell. I tried this again tonight and finally got it to work. The key was uploading the PowerShell code to the ASA first, and then adding the batch script second. Seemed to order the two scripts in such a way as to allow the batch to run first which then will run the PowerShell code. I may have also had the path incorrect when I originally tried this. I forgot that the PowerShell file that gets downloaded has a prefix added to the filename of "Onconnect_". So UserRDP.ps1 becomes "Onconnect_UserRDP.ps1" when its added to the VPN configuration. Its possible it would not work because I was not calling the correct filename with the pre-pended filename in the batch file. Not sure. Anyway its working now.

 

For anyone else wanting to do this, try the following:

 

1. Create your PowerShell script

2. Create your batch file. The batch file should just have the following in it: 

 

echo off

powershell.exe -ExecutionPolicy Bypass -File "%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script\Onconnect_<PowerShellScriptName>.ps1"

 

3. Upload both scripts to the ASA flash filesystem

4. Add a new onconnect script for Windows clients to your VPN configuration. Choose the PS script you created in step one. Ignore the warning about the script not being executable and continue importing the script.

5. Add a second Onconnect script to the ASA VPN configuration. This time choose the batch file that you created in step two.

 

That's it. The ASA should download both scripts locally, and execute the batch script first to then call the locally downloaded PowerShell script. Just wanted to finish this out in case any one else tries to do something similar. HTH.

View solution in original post

8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

I'm not very familiar with powershell, more a Linux guy 😀

 

I'm not sure but you won't be able to run ps script from onconnect script.

The best way to achieve that would be to run a cmd file that can call any other scripts on the machine. 

 

Just out of curiosity, what are you trying to do over the powershell script? Isn't doable from a standard batch?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I was trying to bring up more of a GUI environment for users instead of regular command windows. Where I work, console windows frighten people. So was bringing up a windows form where users can enter some text in the forms box. Stuff like that. More than just the typical net use commands and whatnot.

 

How would one call a script from another script using the onconnect anyconnect tools? The way I need this to work is to have the script on the ASA, have it downloaded to the local machine, and then executed.  I can call a batch file, and execute powershell from the batch calling the powershell exe and the path to the ps script file, but it seems for that to work the PS script file would already need to be on the machine. In my case its not.

 

So if I were to have a batch file as the onconnect script I run, and in it run powershell.exe -path <path to powershell script to run>, how can I get the powershell file from the ASA to the local client for it to execute. Or when the admin guide says you can call scripts from other scripts, what they mean is that the scripts called from other scripts would need to either be shell commands, or batch files already on the local disk of the VPN client machine. Is there no way I can do the following:

VPNLogin---->Onconnect----->commands.bat---->run powershellscript.ps1. It seems like all you can do with the onconnect scripts is load a single script on the ASA.

There is some sort of PStoexe converter available from MS but have a hard time believing all functionality will still be there in the resulting exe.

Any thoughts here will be appreciated.

You can only download 1 script from ASA that will be launch on connect or disconnect event.

To achieve that, yes you would need to have other batch or script already on the machine that will be called from the batch download from ASA.

 

What you can also do is download the batch script from ASA, that will do a scp to ASA to download another batch or script from the ASA disk to local machine disk. Then the 2nd step of your batch is to execute that downloaded script.

 

Is that clear?

Otherwise you will need to try ps to exe and execute your exe file


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes thanks for the reply here. I thought about this some just before seeing your post and it became clear the only way to get this one was in two steps, as you pointed out. I tried converting the PS to exe file and use just that. I could get the file to download, and actually execute, but for some reason the exe did not actually do anything. Worked fine  by itself when executing this locally, but did nothing when executed using Anyconnect. Was running but never did anything coded in the original PS script. I just killed it in Task Manager.

I also tried to upload two scripts to the ASA: The batch file I wrote and the PS script I wrote. The thinking here is that this would allow me an easy way to get both scripts downloaded to the local machine for executin. It did just that but seemed to confuse the ASA as to which script needed to be run. The end result is nothing would run so I moved on.

I finally got this working tonight after some throwback Windows batch coding re-education(thank goodness for Powershell is all I can say). For those who are interested here is what I ended up doing.

 

I created a batch file that connects to a network share, copies down the Powershell script I wrote to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script using robocopy, and then executes it using the following command:

powershell.exe -ExecutionPolicy Bypass -File "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Script\UserRDP.ps1

 

Executing the script this way allows you to bypass the configured powershell execution policy on the local machine, allowing the script to run, while not needing to reconfigure the machine at all.

While I would prefer to just have the ASA include PS scripts as a valid scripting option for OnConnect scripts, this current method does work. What is this 1995? Batch scripts really? It also allows me the opportunity to not only download the PS scripts themselves, but also any needed support files (since this script was an interactive forms based script, I included a nice image file in the form which I downloaded as part of my download commands).

Anyway thanks for the replies.

Thanks for your feedback.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

So here is another question. Is there any way to extrapolate the username and password pair a user types into the VPN client window for use in a script run after the VPN connects?

I'm quite sure this is not possible but i need to do some research and tests. However maybe by giving the opportunity to connect through a cli script (batch) you may be able to get this values into variables and then mount the vpn (without launching anyconnect gui).

Let me take some time to check that with anyconnect client

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I know this is somewhat old now, but I wanted to add how I ended up finally fixing this. Originally what I did was create a batch script that was executed when a user logged into the VPN. This batch script would connect to a Windows share on our internal network, copy down a PowerShell script along with the related support files to the users local machine. The batch would then execute the PowerShell script that was downloaded. This worked fine initially and got the desired result. We recently replaced the NAS device this share was hosted on which for whatever reason resulted in certain clients being unable to access the share and thus download the PowerShell script for execution. Some clients have differing AV clients which might block files from being downloaded. Just became too unreliable. I searched for a different way and finally came up with the fix which as it turns out so much less complicated than the way I was originally trying to do this. I ended up configuring the ASA device to use two different scripts for Windows clients when they log in. First I configured one script for use on the ASA, and then configured a second script for use on the ASA for VPN Onconnect execution. So what happens here is that when an AnyConnect client connects to the VPN, the ASA actually automatically downloads two different scripts to the clients local hard drive. One script is just a batch script that just has code in it to execute the second script, which is my PowerShell code. Since the ASA is configured to use two scripts, each one gets downloaded to the local client. No more having to connect to a share to copy the files, potentially exposing passwords or perhaps not being able to download the files needed at all from the share. Whats more, is that the scripts get downloaded anytime they are changed. If you make a change to the scripts, you just re-upload them to the ASA, re-configured the VPN configuration to use them, and your changes get re-downloaded to the client upon connecting to the VPN. Then its just a matter of having the batch script call the PowerShell script in the path it gets downloaded to by the ASA. 

 

I had originally tried this method, and the ASA would download both scripts, but I could never get the PowerShell one to execute. It seemed as though the ASA was confused about which script to execute when there were two of them, or that it was executing the PowerShell script first which would never work because its PowerShell. I tried this again tonight and finally got it to work. The key was uploading the PowerShell code to the ASA first, and then adding the batch script second. Seemed to order the two scripts in such a way as to allow the batch to run first which then will run the PowerShell code. I may have also had the path incorrect when I originally tried this. I forgot that the PowerShell file that gets downloaded has a prefix added to the filename of "Onconnect_". So UserRDP.ps1 becomes "Onconnect_UserRDP.ps1" when its added to the VPN configuration. Its possible it would not work because I was not calling the correct filename with the pre-pended filename in the batch file. Not sure. Anyway its working now.

 

For anyone else wanting to do this, try the following:

 

1. Create your PowerShell script

2. Create your batch file. The batch file should just have the following in it: 

 

echo off

powershell.exe -ExecutionPolicy Bypass -File "%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script\Onconnect_<PowerShellScriptName>.ps1"

 

3. Upload both scripts to the ASA flash filesystem

4. Add a new onconnect script for Windows clients to your VPN configuration. Choose the PS script you created in step one. Ignore the warning about the script not being executable and continue importing the script.

5. Add a second Onconnect script to the ASA VPN configuration. This time choose the batch file that you created in step two.

 

That's it. The ASA should download both scripts locally, and execute the batch script first to then call the locally downloaded PowerShell script. Just wanted to finish this out in case any one else tries to do something similar. HTH.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: