Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

A script to automate Cisco Clean Access logins Network
I'm currently a student at Davidson College. The school currently protects its network with a program called Cisco Clean Access. A compulsory client exists for XP machines that enforces all sorts of local policies (like running a virus scanner) before automatically providing the machine access to the campus network after the user provides their login name and password.

On non-XP machines, a user has to provide their credentials via a web-based form before access to the network is granted. I have a MacBook Pro, and I've gotten really sick of having to re-login to the campus network (both Ethernet and wifi) via this webform every time my computer goes to sleep or I change locations. So, I've managed to write a bash script that uses curl to log me in through the web forms.

Thanks to some amazing work by macrumors forum member Wombert, I've also found a way to have it activate automatically, any time the campus wifi network SSID is detected. This automation avoids heavy-handed cron jobs by leveraging two OS X features, configd and Kicker.xml. (There's a previous hint here that relies on AppleScript and iCal scheduling.)

Now the script and Kicker.xml transparently log me onto our campus network, and hence the internet, any time my computer senses a preset group of SSIDs. The curl commands are specific to Cisco Clean Access, but they could easily be adapted to other environments where users must login through web forms, making this script potentially broadly useful.

One downside to the script right now is that it stores the username and password in plaintext. Perhaps someone could make this part more secure with more sophisticated code. Instructions are included in the comments of the script. To use the script, just copy and paste into a .sh file, and make it executable. You can also see it all marked up at pastebin.com.

[robg adds: I have not tested this one...]
    •    
  • Currently 2.67 / 5
  You rated: 5 / 5 (6 votes cast)
 
[17,565 views]  

A script to automate Cisco Clean Access logins | 6 comments | Create New Account
Click here to return to the 'A script to automate Cisco Clean Access logins' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A script to automate Cisco Clean Access logins
Authored by: logich on May 11, '06 09:58:06AM
You may want to look at the security command to access usernames and passwords stored in the keychain. There's a little article about it here: http://www.dribin.org/dave/blog/archives/2006/01/16/keychain_cli/

[ Reply to This | # ]
how to make it safer
Authored by: mzs on May 11, '06 11:45:36AM

Wow I never knew about security, good find!

Now one problem with the current script is that the username and password apear in the output of /bin/ps. You should use a ~/.netrc file instead. That would work if the https server used for granting access used authentication instead of an HTML form.

But curl can take the "-d@-" option. Then the data to POST comes from stdin. You could create a function in your shell script that spits-out the username and password and all the other requesite junk into the POST from ~/.netrc or using /usr/bin/security out of a keychain.

In any case, nice script so far.



[ Reply to This | # ]
A script to automate Cisco Clean Access logins
Authored by: bjdraw on May 11, '06 11:03:20AM

This is a cool trick, the other thing that would be cool is if this was ported to run on a XP it could bypass their remediation process completely since all it does is check for the http request string to identify the OS. This is also true for Impule's conditional access system.



[ Reply to This | # ]
A script to automate Cisco Clean Access logins
Authored by: cane on May 14, '06 06:59:53AM

I don't know if porting this to Windows XP would be a wise idea. There's a reason why they only force you to use a virus scanner on Windows... :)



[ Reply to This | # ]
A script to automate Cisco Clean Access logins
Authored by: osxpounder on May 11, '06 11:10:09AM

Do you think it's wise to store your userid and password as cleartext? I somehow suspect your school would disapprove.

---
--
osxpounder



[ Reply to This | # ]
A script to automate Cisco Clean Access logins
Authored by: macowell on May 15, '06 04:03:02PM

I'm not sure how long the code will remain posted at pastebin (hopefully forever), so I've taken the liberty of posting it below. I've shared the script with some of my friends, and its success seems reproducible (yay!). However, one friend was using OS X 10.3 (gasp!), and had some difficulty modifying the Kicker.xml file; we had to resort to [code]sudo[/code]ing a copy into the right directory from the terminal. Just wanted to mention that for all you out there not on 10.4 - I'm not sure how automatic authentication has changed since then.

I think there was something else I was supposed to mention, but I've forgotten. We just had graduation weekend! Whoo hoo! To all you current Davidson students reading this, Keep up the Good Work, and write a hint!

The script:

#!/bin/sh

# macowell 2 May 2006
#######################################################
# DESCRIPTION
# this script uses curl to log a user on to the davidson college campus network.
# It's particularly useful when Kicker.xml is modified to call it. That
# modification and the code to test the SSID of the wifi network is from a
# script written by wombert 24 Nov 2005 at
# (http://forums.macrumors.com/showthread.php?t=162636)

#######################################################
# INSTALLATION
# Set the <username> and <pwort> variables appropriately, removing the
# greater-than and less-than symbols.
# Open the terminal and navigate to the directory in which the script resides,
# and execute the following command to make the script executable:
# chmod +x autologin.sh
#
# In a nutshell, every time the computer's network connectivity changes, the
# programs and agents specified in
# /System/Library/SystemConfiguration/Kicker.bundle/Contents/Resources/Kicker.xml
# are notified. By modifying Kicker.xml, we can ensure this script will be called
# automatically whenever networks with the Davidson SSID are detected.
#
# Add the following segment to the Kicker.xml file, without the pound-signs.
# Replace [yourUID] and [PathToScriptDirectory] with appropriate values,
# also without [brackets]. Use the "id" command in a terminal to determine
# your UID. NOTE: be sure to add the code above the bottom three closing tags,
# </dict> </array> </plist>
#
# <dict>
# <key>execCommand</key>
# <string>/Users/[PathToScriptDirectory]/autologin.sh</string>
# <key>execUID</key>
# <integer>[yourUID]</integer>
# <key>keys</key>
# <array>
# <string>Setup:/</string>
# <string>State:/Network/Global/IPv4</string>
# </array>
# <key>name</key>
# <string>AutoLogin</string>
# </dict>
#
# once you have made the changes, just reboot to reload the kicker.
#######################################################

username=YOURUSERNAME
pwort=YOURPASSWORD

logger -i "wifi auto-connecter v0.1 looking for networks..."

ssid=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | fgrep -i " ssid" | grep -Eo "[a-zA-Z0-9]+$"`
# set variables... might be smart to set curl's retry options when fetching the first address.
ip=`ifconfig en1 | grep 'inet ' | sed -e 's/^.inet //' -e 's/ netmask.*//'`
subdomain=`curl -s http://www.google.com | grep -o URL=.*\</head | sed -e 's#URL=https://##' -e 's/\.davidson.*//'`

if [ $ssid = "DavidsonWLAN" ]
then

logger -i "$ssid detected... attempting to log $username into $subdomain"

userkey=`curl -s -A "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.1) Gecko/20060305 Firefox/1.5.0.1" -d "reqFrom=perfigo_simple_login.jsp&uri=&cm=&userip=$ip&os=MAC_OSX&index=1&username=$username&password=$pwort&provider=davidson.edu&login_submit=Continue" https://$subdomain.davidson.edu/auth/perfigo_validate.jsp | grep -o 'userkey=.*&infotype' | sed -e 's/userkey=//' -e 's/&infotype//'`

# not sure why username doesn't need to be set... from a cookie we don't store?
status=`curl -s -A "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.1) Gecko/20060305 Firefox/1.5.0.1" -d "uri=&noreport=false&os=ALL&userkey=$userkey&userip=$ip&username=&index=-1" https://$subdomain.davidson.edu/auth/perfigo_cm_policy.jsp | grep 'Time Logged on'`

logger -i "status: $status"
fi



[ Reply to This | # ]