AppleScript to generate a SecurID token and automatically connect to a Cisco VPN

Apple obviously hates copy and paste. They didn't add it to the iPhone for years, and even when they did add it, they only briefly allowed users to paste into the VPN password field, removing it with one of the first incremental updates to OS 3.0. Luckily there's an app for that – CopyPasteFix, only for jailbroken iPhones.

And then came Snow Leopard, OS X 10.6. They included built-in IPSEC VPN, freeing users from the shackles of the horrible Cisco IPSEC client. But yet again, Apple decided that users don't need to copy and paste text into the password field.

For anyone with a OTP soft token (like a RSA SecurID), this is a pain in the ass. Half the benefits of generating a passcode on the same device that you're using it on, are not having to type it.

Enter AppleScript, everyone's favorite natural language that thinks it's acceptable to use apostrophes when referencing variables. I've never actually written an AppleScript longer than tell application "iTunes" to playpause so this was new ground for me. Joe mentioned he has a similar script for junky non-RSA soft token solution he uses, but he left the country immediately after taunting me with the prospect of getting the code.

If you're doing any moderately serious AppleScript development, I highly recommend Script Debugger from Late Night Software. It was invaluable to seeing what objects and properties were really available, and troubleshooting errors.

What it does

  • Prompts for your SecurID PIN (you can save this in the script, I highly recommend you NOT do that)
  • Launches the SecurID application (it if it's running it will quit it first), generates a token, stores the token in a variable, and then quits the SecurID application
  • Kicks off the VPN connection process, types in the generated passcode when the window is available, and logs in.

If there's any type of a banner with terms to accept, it won't click OK there.

Download the script, view the source code and read more at the project page.

Tags: , , , , ,
Posted in Development, Software, Technology on February 4th, 2010 at 01:02pm

Add Comment »  | 

Re-enabling the Cisco VPN client PIN prompt

If you use a recent Cisco VPN Client with the RSA SecurID integration, you only have to enter your PIN instead of a passcode.  At some point one of the VPN concentrators I connect to changed its configuration and my PIN prompt changed back to Password1.

I did some digging into how the RSA integration works and discovered that the magic begins with stauto32.dll.  stauto32.dll is the RSA SecurID Software Token API which allows third-party vendors to retrieve passcodes from a token.

There are also two very important entries you can modify in your PCF file which affect the VPN Client's integration with the SecurID soft token.

SDIUseHardwareToken Enables a connection entry to avoid using RSA soft token.
0 = Yes, use RSA SoftID (default)
1 = No, ignore RSA SoftID software installed on the PC.
RadiusSDI Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth).
0 = No (default)
1 = Yes

My .pcf file was missing the RadiusSDI parameter.  Once I added it I was able toggle the Cisco VPN Client PIN/Password prompt by changing the value of RadiusSDI in my .pcf file to 1/0.

So if you only want to be prompted for your PIN with a Cisco VPN Client, make sure that in your .pcf file you have:

RadiusSDI=1
SDIUseHardwareToken=0

Files

  • vpnclient.ini (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\
  • .pcf profile file (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\Profiles

Resources

  1. Actually I found an old email with the new .pcf file and a warning that if I didn't start using it my VPN client would stop working, but I assumed I'd installed the new profile everywhere. [back]

Tags: , , , , , ,
Posted in Software, Technology on July 14th, 2009 at 11:07am

Add Comment »  | 

Manually removing Cisco VPN on OS X

For Christmas my MacBook Pro hard drive decided to die at the ripe old age of 6 months. Go Hitachi!

I restored from a Time Machine backup and installed the full 10.5.6 update.  After rebooting the Cisco VPN kernel module would load, attach to the VMware interfaces and immediately trigger a kernel panic and halt the machine after attaching to en0, the onboard ethernet.

I'm fairly positive that no one at Cisco works full-time on the ipsec VPN client anymore given that it never works with a new release of OS X and seems to stop working on alternating dot-release updates.  Cisco isn't biased though, the ipsec client still doesn't work right on 32-bit Vista (hey, Vista is only two years old, these things take time!), and there is not, nor will there ever be, an ipsec client for 64-bit versions of Windows.

The latest release of the VPN client for OS X is 4.9.01 (0100), which was released over a year ago on December 6, 2007.  Cisco's commitment to the product is evident with the release notes for their "latest" version, which is still listed as 4.9.00 (0050).  While this is a bit tongue in cheek, I do think that Cisco's ipsec vpn client is a dead product. They're pushing the SSL/TLS AnyConnect VPN client hard, and AnyConnect shows signs of being an actively mantined product. It also supports x64 versions of Windows.

Manually removing the VPN client

  1. Reboot into single user mode by holding command-S while the computer boots
  2. Remount the / filesystem as read-write (it's read-only by default) 
    /sbin/mount -uw /
  3. Run the uninstaller: 
    /usr/local/bin/vpn_uninstall

At this point things will either work, or you'll receive an error saying that you need to be the super user (root). That's odd considering you ARE root.

The problem is in these two lines:

ID="/usr/bin/id"
WHOAMI=`$ID|sed -e 's/(.*//'`

When you're in single-user mode the id command fails, returning "Bus error" instead of a line like

uid=501(cfg) gid=20(staff) groups=20(staff),98(_lpadmin),81(_appserveradm),79(_appserverusr),80(admin)

You'll need to edit the vpn_uninstall script by hand and fake the check.  Use nano or your preferred editor to edit the file.

nano /usr/local/bin/vpn_uninstall

Add a new line right after WHOAMI=`$ID|sed -e 's/(.*//'`:

WHOAMI="uid=0"

The file should now look like:

ID="/usr/bin/id"
WHOAMI=`$ID|sed -e 's/(.*//'`
WHOAMI="uid=0"

Save the file (ctrl+o, enter, ctrl+x, enter) and re-run /usr/local/bin/vpn_uninstall.  At this point it should uninstall successfully and you can type reboot to restart sans-vpn client.

Tags: , , , ,
Posted in Software, Technology on December 31st, 2008 at 11:12am

Comments (1)  | 

Cisco VPN connections from an iPhone

While there currently isn't any BES-like point of entry for an iPhone to gain access to a corporate network, it's trivial to establish a Cisco IPsec VPN connection.

Getting Started

You'll need the following information:

  • VPN Server
  • User account name
  • User password
  • Group name
  • Group password

You should know your user account name and password and you can obtain the VPN Server, Group name and Group password from your .pcf file. A PCF file typically contains an encrypted password which you can decrypt using my Cisco VPN Password Decryption page. You can also ask your VPN administrator for the plain text password.

Sample PCF File

The VPN server can be found after Host= in the pcf file. Group Name is after GroupName=, Group Password is after enc_GroupPwd= or GroupPwd=. Asterisks added below for emphasis.

[main]
Description=Connect to Company VPN
****Host=your-vpn-server.coreygilmore.com
AuthType=1
****GroupName=accounting
GroupPwd=
****enc_GroupPwd=9196FE0075E359E6A2486905A1EFAE9A11D652B2C588EF3FBA15574237302B74C194EC7D0DD16645CB534D94CE85FEC4
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=CorpDomain
EnableBackup=0
BackupServer=
EnableMSLogon=1
MSLogonType=1
EnableNat=1
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
PeerTimeout=90

Adding the Connection

From the Home screen on the iPhone open the Settings application. Navigate through General > Network > VPN. Tap Add VPN Configuration and choose IPSec.

Using the information provided to you by your VPN administrator or gleaned from the PCF file, fill out the fields. If you use a SecurID for authentication leave the Password field empty and you will be prompted for it each time you connect.

About the Fields

Description – This can be anything you want.
Server – The VPN server IP or domain name. Host from your PCF file.
Account – Your VPN (or SecurID) username.
Password – Your VPN password. Leave blank to be prompted (or if you use a SecurID or other token).
Group Name – Your VPN group name. GroupName in the PCF file.
Secret – The Group Password. GroupPwd or Enc_GroupPwd from the PCF file. If the password is encrypted (the PCF only contains Enc_GroupPwd) you will need to decrypt it using my Cisco VPN Password Decryption page.

Below is a sample VPN connection configuration:

Connecting

Once the fields are populated and the connection is saved you can connect to your VPN server by opening
Settings > VPN and sliding the toggle into the On position.

Updated Jan 30, 2009: Added a more detailed description of the account fields for clarity.

Tags: , , , ,
Posted in Technology, iPhone on July 29th, 2008 at 03:07pm

Comments (5)  | 


© 2007-2010, Corey Gilmore | Posts RSS Feed | Comments RSS Feed | Contact

 

The views expressed on these pages are mine alone and not those of any past or present employer. All information presented on this site was obtained lawfully and not through disclosure under the terms of an NDA.