Bypassing Cisco AnyConnect’s profile settings

Posted on August 29, 2013

18


When using Cisco Anyconnect Secure Mobility Client for establishing VPN connections, one might see such frustrating error message:

AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer.  A VPN connection will not be established.

or this one:

VPN establishment capability from a remote desktop is disabled.  A VPN connection will not be established.

Cisco’s documentation mention these limitations are specified in a profile XML file which is downloaded from the VPN server during the connection establishment.

Using SysInternal’s Process Monitor, it is possible to detect that this file is downloaded to the following path:

%programdata%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\[some name].xml

It turns out the file is downloaded by the Anyconnect Secure Mobility Client (vpngui.exe) and then analyzed. In order to bypass the restrictions imposed in the file, it is enough to use a simple application that monitors changes to that specific file and immediately replaces it with another file (where the restrictions are not present).

The two restrictions related to the error messages above are specified in the following nodes of the file:

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

A copy of the current profile XML file could be made where the nodes above are commented out. Then the aforementioned application will overwrite the downloaded XML file with the “custom” version. A sample source code for such application follows (C#):

Note: it might be necessary to run the application with elevated privileges.

class Program
{
private static bool replaced = false;

static void Main(string[] args)
{
FileSystemWatcher watcher = new FileSystemWatcher(@"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile");

watcher.Created += watcher_Changed;
watcher.Deleted += watcher_Changed;
watcher.Changed += watcher_Changed;
watcher.EnableRaisingEvents = true;

while (!replaced)
{
System.Threading.Thread.Sleep(100);
}
}

static void watcher_Changed(object sender, FileSystemEventArgs e)
{
if (e.ChangeType == WatcherChangeTypes.Created)
{
ReplaceFile();
}
}

static void ReplaceFile()
{
File.Delete(@"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile.xml");

File.Copy(@"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\customprofile.xml", @"C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\profile.xml");

replaced = true;
}
}
Posted in: Tips n' tricks, Tools