Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Making Juniper Network Connect use Keychain Network
Password managers are a good thing, as they encourage you to maintain strong passwords. Just the sort of thing you’d want if you were opening every port on every computer on your enterprise network. Unfortunately, Juniper doesn’t see it this way. This can be resolved with some crafty scripting.

First, we need a scripting addition called Useable Keychain Scripting. Download it and copy it to /Library/Scripting Additions. You'll need to type your password to do this.

Next, you need to be able to connect to your VPN, so do this, then disconnect. Network Connect should retain the address of your server (e.g. https://vpn.example.com).

Now create a password item for the server (https://vpn.example.com), and grant access to Usable Keychain Scripting. Or not, your call.

Now fire up the script. It will get the address of the server from Network Connect, get your username and password from Keychain Access, and log you in.

Modified from https://github.com/seanfisk/juniper-network-connect-vpn-applescript:
property appName : "Network Connect"

on main()
	tell application "Network Connect"
		if connected then
			sign out
			delay 5
			quit
		else
			tell application "System Events"
				-- Recover the name of the VPN from Network Connect.
			set myAddress to value of combo box 1 of group 2 of tool bar 1 of 
				window appName of application process appName
				set ASTID to AppleScript's text item delimiters
				set AppleScript's text item delimiters to "://"
				-- Get just the server address
				set vpnName to (text items 2 through -1 of myAddress) as text
				set AppleScript's text item delimiters to ASTID
			end tell
			tell application "Usable Keychain Scripting" to tell current keychain
			-- Recover the username and password from the login keychain
				set myPass to password of first internet password 
					whose name contains vpnName
				set myAccount to account of first internet password 
					whose name contains vpnName
			end tell
			connect to vpnName
			delay 5
			tell application "System Events"
			-- enter the account name and password in the dialog box and click 'Sign In"
			set value of text field 1 of group 7 of UI element 1 of scroll area 1 of 
				window appName of application process appName to myAccount of
			set value of text field 1 of group 10 of UI element 1 of scroll area 1
				window appName of application process appName to myPass
			click button "Sign In" of group 14 of UI element 1 of scroll area 1 of 
				window appName of application process appName
			end tell
			-- Could launch an application here if it's scriptable.
			return
		end if
	end tell
end main

main()
Lex adds: I haven't tested this one.
    •    
  • Currently 2.00 / 5
  You rated: 3 / 5 (5 votes cast)
 
[6,358 views]  

Making Juniper Network Connect use Keychain | 4 comments | Create New Account
Click here to return to the 'Making Juniper Network Connect use Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Making Juniper Network Connect use Keychain
Authored by: slb on Jun 26, '13 12:47:46PM

I guess it's useful if you have a fixed password. Most I know of use an RSA token.



[ Reply to This | # ]
Making Juniper Network Connect use Keychain
Authored by: Sesquipedalian on Jun 28, '13 12:01:52AM
You could also just use a do shell script call to the security command line tool. This is the officially sanctioned way to access keychain data from scripts, and it is available on any Mac running OS X 10.7 or higher without needing to install a third party scripting addition.
Edited on Jun 28, '13 12:04:19AM by Sesquipedalian


[ Reply to This | # ]
Making Juniper Network Connect use Keychain
Authored by: bhines on Jun 28, '13 12:42:47AM

Indeed, i am surprised that any company has a VPN without using RSA token based auth. (at my 4th major tech company now and they all have..)



[ Reply to This | # ]
Making Juniper Network Connect use Keychain
Authored by: jemandel on Jul 10, '13 04:10:54AM

It's not a company, it's a major academic medical center. Hospital IT can be amazingly slow to adopt new technology. We're in the process of moving from XP to Windows 7 and moving from Exchange Server 2003 to 2008. All the certificates on the web servers fail at normal trust settings. The ID badges all have magstripes. I just expend little bits of effort to be able to keep my systems functioning.

I think the shell script may be a better solution, since most of the rest of the script can function as a shell script, but it would be better if Juniper made a public API.

---
Jeff E Mandel MD MS
Hospital of the University of Pennsylvania



[ Reply to This | # ]