Cisco AnyConnect with TouchID on MacOS

Quite annoying that AnyConnect doesn’t support TouchID on MacOS, so you need to type in your password every time. But there’s a fix:

  • AnyConnect also has a command-line version, the util is located in /opt/cisco/anyconnect/bin/vpn
  • It is interactive, so upon invoking you must enter your username and password
  • This can be done by piping the username and password to the vpn utility
  • To prevent having your password in plaintext, you can use the command-line password manager pass that saves secrets in encrypted GPG files:
  • However this means you now need to enter the GPG secret on every connect
  • To solve this, install and configure the pinentry-touchid utility that replaces the built-in CLI dialog and saves the secret in the Keychain
  • Voila, now you can connect using TouchID

The following helper script from Superuser1 is useful to easily control the vpn status:


# Easily connect to Cisco AnyConnect VPN

# Get first parameter

case $COMMAND in
    connect | CONNECT | c | C)
        printf "2\n${username}\n$(pass show my_password_entry)\n" | \
            /opt/cisco/anyconnect/bin/vpn -s connect remote_host_url

    disconnect | DISCONNECT | d | D)
        /opt/cisco/anyconnect/bin/vpn disconnect

        cat <<EOF
Usage: vpnctl COMMAND
       connect | CONNECT | c | C    Connect to the VPN
       disconnect | DISCONNECT | d | D    Disconnect from the VPN

  1. []