Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9980
Views
6
Helpful
12
Replies

Anyconnect run local script after login for FTD appliance

Go to solution
ryan14
Level 1
Level 1

‎03-26-2020 05:05 AM

Hello,

 

I am trying to see if there is a way to run a login script after signing into Anyconnect? I see this thread but it applies to the ASDM/ASA:

https://community.cisco.com/t5/vpn/run-local-file-after-anyconnect-establishes-a-connection/td-p/2766367

 

Looking to do this via FMC on my FTD appliances.

 

Thanks.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to ryan14

‎03-26-2020 08:51 AM

Hi,

 

  1. You download the AnyConnect Profile Editor from Cisco, create a profile with scripting settings, assign it to your group policy.

  2. You deploy the scripts via other mechanisms (software distribution), or if not too many devices, plain old copy/paste.

 

Use this guide for reference, look in the scripting section.

 

Regards,

Cristian Matei.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-26-2020 05:51 AM

Hi,

 

   Have not tested this on FTD, did it couple of times on ASA. Running a local script should work, as this is not dependent on the headend; its just that what happens locally on the end-device after the session is successfully established. You may not be able to deploy the scripts from FTD, but you could deploy it to the end client via other means (software distribution).

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 07:19 AM

It's not the deployment (of the script) that is the issue, it is getting it to execute AFTER connected to the VPN. Usually some VPN programs out there have a setting to run logon script after signon, but I don't see that on the Anyconnect.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ryan14

‎03-26-2020 07:40 AM

Doing that as a function of the AnyConnect client requires us to use AnyConnect Customization/Localization feature.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/customize-localize-anyconnect.html#ID-1408-000003c2

That's not currently supported in FTD (as of 6.5).

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to Marvin Rhoads

‎03-26-2020 07:50 AM

Hi,

 

 @Marvin Rhoads You just configure/enble AnyConnect profile for scripting, and you deploy the scripts via other mechanisms (software deployment) in the proper path on the end user's station. You would need to make use of AnyConnect Customisation feature if you would want the FTD to push over the scripts.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 08:07 AM

Thanks everyone for your feedback. How would you do this "You just configure/enble AnyConnect profile for scripting" in the FMC?

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to ryan14

‎03-26-2020 08:51 AM

Hi,

 

  1. You download the AnyConnect Profile Editor from Cisco, create a profile with scripting settings, assign it to your group policy.

  2. You deploy the scripts via other mechanisms (software distribution), or if not too many devices, plain old copy/paste.

 

Use this guide for reference, look in the scripting section.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
ryan14
Level 1
Level 1
In response to Cristian Matei

‎03-26-2020 10:34 AM

Found it thanks. For testing purposes, I'm assuming this has to be uploaded to the firewall to test? I tried putting the test xml in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile and moving the old one and it appears it ignored my test script in the script folder. 

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to ryan14

‎03-26-2020 11:56 AM

Hi,

 

   Look in the guide i've referenced, it's well explained.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Cristian Matei

‎03-26-2020 09:10 PM

Thanks @Cristian Matei I didn't read down far enough in the AnyConnect admin guide to see that deploying scripts manually or via alternative software deployment tools is an option. That's good to know.

@ryan14 it looks like, for Windows hosts, you should put the scripts in 

%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script

..according to this:

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/administration/guide/b_AnyConnect_Administrator_Guide_4-8/customize-localize-anyconnect.html#ID-1408-000003c2

Go to solution
ryan14
Level 1
Level 1
In response to Marvin Rhoads

‎03-27-2020 05:08 AM

I tested this last night and it appeared to work. My net use script did remap the drive.

 

Make sure you append OnConnect in the file name. I was more worried creating a new group in anyconnect policy might drop RAVPN existing connections, but it did not in my test.

0 Helpful

Go to solution
phipse_508122
Level 1
Level 1

‎08-21-2023 02:44 AM

I know this is an old post, but has anything changed?
Are you now able to use the FTD to deploy the script?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to phipse_508122

‎08-21-2023 04:14 AM

@phipse_508122 AnyConnect customization is projected to be included in FMC 7.4.

However that won't be generally available until later this year so we will have to wait until then to see if it makes the cut as a new feature.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents