Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2998
Views
0
Helpful
3
Replies

AnyConnect Enhanced Captive Portal Remediation + Proxy

kheldorn
Level 1
Level 1

‎08-20-2020 12:56 AM

I've been battling this thing for 6 hours now and I can't come up with a solution - probably because there isn't one. But I thought I'd ask here before I give up.

 

The issue with captive portals has been plagueing us for a while now because all our users are forced to use a proxy to surf the internet. Clearly they aren't allowed to disable the proxy either. But with the proxy enabled and not yet connected to the VPN they cannot access most of the captive portals that are present on public hotspot or hotel wifis. I've already exempt all local network IPs from the proxy but these captive portals are more often than not on non-LAN IPs and there is simply no way for me to exempt all of them from the proxy.

 

So whenever a user connect to a public wifi with a captive portal all they get is the browser showing a proxy error - because it isn't reachable. And without the captive portal they can't get a functioning internet connection and thus can't establish the VPN connection to reach the proxy either. Nice catch-22 right there.

 

So, a couple days ago I read the changelog for AnyConnect 4.7  and saw the following entry for the new features introduced in 4.7.03052:

 

Enhanced Captive Portal Remediation (Windows Only) — Captive portal remediation is the process of satisfying the requirements of a captive portal hotspot in order to obtain network access. The enhancement to this feature allows the end user to use an AnyConnect embedded browser for captive portal remediation when network access is blocked by AnyConnect (for example, due to Always On). Network access pertaining to other applications remains blocked during the captive portal remediation. The administrator has the option to allow failover to regular captive portal remediation with an external browser.

 

"An AnyConnect embedded browser for captive portal remediation" sounded exactly like what I always hoped for. So I downloaded AnyConnect 4.9.01095 (why stick with 4.7 when I can upgrade to 4.9 in the process?) and got to testing ...

 

"Fast" forward to 6 hours later. I got the configuration working they way I'd like it to work .. only to figure out that the "AnyConnect embedded browser for captive portal remediation" is practically just an embedded Internet Explorer!? When I connect to a public wifi with a captive portal the embedded browser opens just fine, but I'm greeted by the exact same proxy error message that I'd get in Internet Explorer too. And no matter how much I crawl the documentation, read forums and click my way through random forum posts I cannot come up with a solution to this issue.

 

Does anyone have a configuration for AnyConnect that lets him connect to public wifis with captive portals while the system is configured to always use a proxy for all web traffic?

 

I had hoped that

<ProxySettings>IgnoreProxy</ProxySettings>

would do something, but that apparently only applies to the VPN connection itself, not for the embedded browser.

 

Here's my profile.xml as reference. Maybe someone can point me in the right direction. Or at least tell me straight out that what I want to achieve is (currently) not possible.

 

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
	<ClientInitialization>
		<UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon>
		<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
		<ShowPreConnectMessage>false</ShowPreConnectMessage>
		<CertificateStore>Machine</CertificateStore>
		<CertificateStoreOverride>false</CertificateStoreOverride>
		<ProxySettings>IgnoreProxy</ProxySettings>
		<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
		<AuthenticationTimeout>12</AuthenticationTimeout>
		<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
		<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
		<LocalLanAccess UserControllable="false">false</LocalLanAccess>
		<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
		<ClearSmartcardPin UserControllable="false">true</ClearSmartcardPin>
		<IPProtocolSupport>IPv4</IPProtocolSupport>
		<AutoReconnect UserControllable="false">true
			<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
		</AutoReconnect>
		<AutoUpdate UserControllable="false">false</AutoUpdate>
		<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
		<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
		<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
		<AutomaticVPNPolicy>true
			<TrustedDNSDomains>corpnetwork.tld</TrustedDNSDomains>
			<TrustedNetworkPolicy>DoNothing</TrustedNetworkPolicy>
			<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
			<AlwaysOn>true
				<ConnectFailurePolicy>Closed
					<AllowCaptivePortalRemediation>true
						<CaptivePortalRemediationTimeout>1</CaptivePortalRemediationTimeout>
					</AllowCaptivePortalRemediation>
				</ConnectFailurePolicy>
			</AlwaysOn>
		</AutomaticVPNPolicy>
		<PPPExclusion UserControllable="false">Disable
			<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
		</PPPExclusion>
		<EnableScripting UserControllable="false">false</EnableScripting>
		<EnableAutomaticServerSelection UserControllable="false">false
			<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
			<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
		</EnableAutomaticServerSelection>
		<RetainVpnOnLogoff>false
		</RetainVpnOnLogoff>
		<AllowManualHostInput>true</AllowManualHostInput>
	</ClientInitialization>
	<ServerList>
		<HostEntry>
			<HostName>Corp VPN</HostName>
			<HostAddress>vpn.corpnetwork.tld</HostAddress>
			<PrimaryProtocol>IPsec
				<StandardAuthenticationOnly>true
					<AuthMethodDuringIKENegotiation>EAP-AnyConnect</AuthMethodDuringIKENegotiation>
				</StandardAuthenticationOnly>
			</PrimaryProtocol>
		</HostEntry>
	</ServerList>
</AnyConnectProfile>

 

5 people had this problem
Labels:
0 Helpful
3 Replies 3

kroerig
Level 1
Level 1

‎03-10-2023 04:14 AM

Hi, did you find any solution?

0 Helpful

haroonrohi
Level 1
Level 1

‎11-23-2023 11:18 AM

i am having the same issue while using the Zscaler proxy the embedded browser doesn't open the redirection and it fails showing proxy error while not using Zscaler proxy works fine.
even Zscaler also detect for captive portal and it fail-open all the traffic to direct not going to proxy but still not able to open most of the captive portal network anyone have solution for this issue please share.
Thank you.

0 Helpful

mlohman
Level 1
Level 1

‎03-12-2024 08:29 PM

Try checking off the "captive portal remediation browser failover". 

<CaptivePortalRemediationBrowserFailover>true</CaptivePortalRemediationBrowserFailover>
0 Helpful
Customers Also Viewed These Support Documents