cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8450
Views
26
Helpful
4
Replies

WIndows 10 and Edge browser Auto pop up during AC posture scan

Asif Akash
Cisco Employee
Cisco Employee

Hello Experts,

We observe that during posture redirection / system scan, Edge browser automatically popping up "Client Provisioning Portal" without any user intervention. User connects over over VPN and authentication of user credential is successful. System scan with anyconnect starts and user is not triggering any http session to make Edge browser auto pop-up to get redirected to client provisioning portal. Is this a known issue or auto pop-up can be suppressed with Anyconnect or endpoint configuration. 

AC version: 4.2.01035

I see the following in Dart bundle:

Description : Function: HttpConnection::MakeRequest

Thread Id: 0x450

File: .\HttpConnection.cpp

Line: 263

Level: debug

Ignoring duplicate discovery probe: https://<FQDN>:8443/portal/gateway?sessionId=0afXXXXX6ee00057339a66&portal=aXXXXX-c2c4-11e4-8726-24e9b315f0b6&action=cpp&token=5001d3XXXXXX50c3ec9067ad5eaa9e3.

OS:

OS Name:               Microsoft Windows 10 Enterprise
OS Version:            10.0.10240 N/A Build 10240

Suggestion to troubleshoot this issue is highly appreciated.

-BR

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Asif, two options:

  • You can allow HTTP/HTTPS access to www.msftncsi.com so the Windows PC thinks it has Full Internet Connectivity to prevent the pop-up during posture state. You can do so by adding IPs that www.msftncsi.com resolves to in the redirect ACL. Starting with 7.6+, Cisco WLC supports DNS ACL, you can simply add www.msftncsi.com to the list of allowed domains in the redirect ACL. If using IOS switch or converged access WLAN, then you will need to list each of the individual IP addresses in the redirect ACL.
  • Other option is to modify the Windows registry to disable the browser auto pop-up feature. Navigate to the following registry hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet and change the ‘EnableActiveProbing’ value to 0.

Hosuk

View solution in original post

4 Replies 4

howon
Cisco Employee
Cisco Employee

Asif, two options:

  • You can allow HTTP/HTTPS access to www.msftncsi.com so the Windows PC thinks it has Full Internet Connectivity to prevent the pop-up during posture state. You can do so by adding IPs that www.msftncsi.com resolves to in the redirect ACL. Starting with 7.6+, Cisco WLC supports DNS ACL, you can simply add www.msftncsi.com to the list of allowed domains in the redirect ACL. If using IOS switch or converged access WLAN, then you will need to list each of the individual IP addresses in the redirect ACL.
  • Other option is to modify the Windows registry to disable the browser auto pop-up feature. Navigate to the following registry hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet and change the ‘EnableActiveProbing’ value to 0.

Hosuk

Hello Hosuk,

Thanks a lot for your descriptive answer.

(From: Mike Gatti) Here is the workaround I created to address this issue, hopefully it can help anyone else experiencing the same problem...

- Configure your ASA's DNS Lookup settings:

dns domain-lookup INSIDE ! Define the internal interface to send dns lookup queries to

DNS server-group DefaultDNS

    name-server 10.0.0.10 ! Use an internal trusted DNS server

    name-server 10.0.0.11 ! Use an internal trusted DNS server

- Configure an object in your ASA with a fqdn for www.msftncsi.com:

object network obj-www.msftncsi.com

fqdn www.msftncsi.com

- Add a deny statement in your ISE_REDIRECT ACL, tune the ACL to your needs:

access-list ISE_REDIRECT extended deny icmp any any

access-list ISE_REDIRECT extended deny ip any host obj-ISE-PSN-01

access-list ISE_REDIRECT extended deny ip any host obj-ISE-PSN-02

access-list ISE_REDIRECT extended deny ip any host obj-ISE-PSN-03

access-list ISE_REDIRECT extended deny ip any object obj-www.msftncsi.com

access-list ISE_REDIRECT extended permit tcp any any eq www

!!- Now there is a caveat to this config, using a FQDN statement will only work if the ACL is applied to an interface. To work around this requirement I used one of our ASA's spare interfaces in a shutdown state, gave it a bogus nameif and assigned the ISE_REDIRECT acl to it, if you don't have a spare interface one option would be to create a sub-interface and assign the acl to it:

++ Before assigning the redirect acl to an interface

VPN_ASA(config)# show dns 

INFO: no activated FQDN

VPN_ASA(config)# show dns host  www.msftncsi.com

ERROR: www.msftncsi.com is not activated

++Interface and Access-Group config

VPN_ASA(config)# sh run int g0/6

!

interface GigabitEthernet0/6

shutdown

nameif ISE_REDIRECT_BOGUS

security-level 0

no ip address

VPN_ASA(config)#  sh run access-group

access-group ISE_REDIRECT in interface ISE_REDIRECT_BOGUS

++After assigning the redirect acl to an interface:

VPN_ASA(config)# sho dns

Name: www.msftncsi.com

  Address: 23.3.13.250                                   TTL 00:00:34

  Address: 23.3.13.184                                   TTL 00:00:34

VPN_ASA(config)# sh dns host www.msftncsi.com

Name: www.msftncsi.com

  Address: 23.3.13.250                                   TTL 00:00:26

  Address: 23.3.13.184                                   TTL 00:00:26

We recently upgraded to AnyConnect 4.3 and upon login, our Windows 10 machines are launching IE and receiving the same web popup as described in this thread. We changed the ‘EnableActiveProbing’ value to 0 as recommended in the published answer but now, whenever a user disconnects from our network, goes to WiFi, and then reconnects to physical network, we are receiving a warning on the system tray stating that there is "No Internet Access" (see below image) .  This warning continues to stay on the system tray even after the machine is postured and given full access to our network.  All internet and intranet functionality works correctly however, the introduction of this warning icon has caused a significant influx of calls to our help desk.  Is there a way we can get this warning to clear once the device is allowed on the network?

ACWarning.JPG