Cisco AnyConnect with TouchID on MacOS

Quite annoying that AnyConnect doesn’t support TouchID on MacOS, so you need to type in your password every time. But there’s a fix:

  • AnyConnect also has a command-line version, the util is located in /opt/cisco/anyconnect/bin/vpn
  • It is interactive, so upon invoking you must enter your username and password
  • This can be done by piping the username and password to the vpn utility
  • To prevent having your password in plaintext, you can use the command-line password manager pass that saves secrets in encrypted GPG files: https://www.passwordstore.org/
  • However this means you now need to enter the GPG secret on every connect
  • To solve this, install and configure the pinentry-touchid utility that replaces the built-in CLI dialog and saves the secret in the Keychain https://jorgelbg.me/2021/08/introducing-pinentry-touchid/
  • Voila, now you can connect using TouchID

The following helper script from Superuser1 is useful to easily control the vpn status:

#!/bin/bash

# Easily connect to Cisco AnyConnect VPN

# Get first parameter
COMMAND="$1"

case $COMMAND in
    connect | CONNECT | c | C)
        printf "2\n${username}\n$(pass show my_password_entry)\n" | \
            /opt/cisco/anyconnect/bin/vpn -s connect remote_host_url
        ;;

    disconnect | DISCONNECT | d | D)
        /opt/cisco/anyconnect/bin/vpn disconnect
        ;;

    *)
        cat <<EOF
Usage: vpnctl COMMAND
       connect | CONNECT | c | C    Connect to the VPN
       disconnect | DISCONNECT | d | D    Disconnect from the VPN
EOF
        ;;
esac

  1. https://superuser.com/a/1723439 []