Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5823
Views
0
Helpful
5
Replies

IOS SSL WebVPN anyconnect 2.5.1025 - Start Before Logon

kkasselman
Level 1
Level 1

‎09-03-2010 10:04 AM - edited ‎02-21-2020 04:49 PM

I have a 1841 router setup with SSL vpn using the anyconnect client.  Before upgrading to anyconnect 2.5 I had 2.3 installed and the start before logon feature worked for XP hosts but not for Windows 7.  So I upgraded.  Now when trying to do start before logon I get "Network Access: Blocked - Web Authentication Required".  From what I have read this is for captive portal detection.  The internet connection I am testing on does not have a captive portal.  I have looked through the anyconnect 2.5 configuration guide, the release notes and the IOS 15.1 guides and can't find anything.  Any help would be appreciated.

Show Ver:

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(2)T1, RELEASE SOFTWARE (fc1)

Cisco 1841 (revision 7.0) with 293888K/99328K bytes of memory.
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125952K bytes of ATA CompactFlash (Read/Write)

User Auth is being done via SecureACS and it is also assigning an ACL to the session that is configured on the router.

Cisco av-pair:

webvpn:user-vpn-group=POLICY1
webvpn:addr=XX.XX.XX.XX
webvpn:inacl=ACLPOLICY1

Attached are my Config, XML Profile and WebVPN Debug.

Labels:
Preview file
2 KB
71548-1841 WebVPN Debug.txt.zip
71553-1841 WebVPN Config.txt.zip
0 Helpful
5 Replies 5

Jason Gervia
Cisco Employee
Cisco Employee

‎09-03-2010 12:15 PM

I would check your other profile (profile2.xml) as it doesn't look like you have TND enabled on that profile - so it may be enabled on the profile.  Also, there is an anyconnect event log in event viewer that should tell you what profile it's reading and what the anyconnect client is doing when it is trying to connect.

0 Helpful

kkasselman
Level 1
Level 1
In response to Jason Gervia

‎09-03-2010 02:18 PM

Profile1 is the profile being used.  Profile2 is the exact same with out the start before login option.  Since I have TND disabled I shouldn't have to add anymore config right?

I checked the Anyconnect log and here is what stands out.  I see in the event where it bypasses start before login "apilpc::processTerminate"

Then the next event is "HTTPS probe to "mygatewayIP" resulted in a redirect"

0 Helpful

kkasselman
Level 1
Level 1
In response to kkasselman

‎09-08-2010 06:38 AM

Downgraded to anyconnect 2.4 and everything is working.

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to kkasselman

‎09-08-2010 03:32 PM

If AC is detecting a redirect, it's likely you have antivirus (or some other software) doing some inspection of SSL traffic - try disabling the inspection (or the software entirely) and AC 2.5 might work.

--Jason

0 Helpful

bobclark75
Level 1
Level 1

‎11-20-2010 06:30 AM

Check out the bug report. CSCtb73337

The problem is that the client is is unable to verify the certificate that is being used.  If it is selfsigned or from certificate authority that isn't trusted by the client computer AnyConnect 2.5 sees it as an invalid response to the attempt to verify connectivity.  Instead of reporting an SSL problem it simply says that web authentication (because of a captive portal) is required.  It isn't exactly a bug as much as a feature.  However, the wording could be better in the message.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents