cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
359
Views
1
Helpful
2
Replies

Hotspot Connect with Anyconnect

robert.melzer
Level 1
Level 1

Hello everyone,
I am using AnyConnect Secure Client version 5.0.00529. Client authentication with the ASA is performed using a machine certificate. The entire process works perfectly. Now I want the Windows client to be able to log on to a hotspot first and then establish the VPN connection. Captive Portal Detection is enabled in the profile under Preferences Part 1. Always ON is active in Preferences Part 2, and Allow Captive Portal Remediation is also active with a time span of 5 minutes. With these settings, the hotspot page is not displayed. Only when I deactivate Always ON. However, the client is then open until the VPN is established and can be compromised. Maybe someone has a tip on how to get it to work with Always ON. Thank you very much.

 

2 Replies 2

Mark Elsen
Hall of Fame
Hall of Fame

 

  - @robert.melzer    FYI :https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Ben Weber
Level 1
Level 1

Hi @robert.melzer 

AFAIK, Captive Portal Detection is only going to work when the VPN is not enforced. Captive Portal Remediation can be allowed in the AnyConnect XML profile, but will require ConnectFailurePolicy to be set to open. This allows for traffic to egress from the device without the VPN being enabled.

Secure Client is instructed to establish the VPN immediately after a network is detected (this is what happens when the 'Always-On' feature is enabled). This will block the captive portal depending on your settings. 

Depending on where your users are located, you could use Trusted Network Detection to bypass the VPN and allow the captive portal to work. Alternatively, you should set ConnectFailurePolicy = open, which will allow users to connect to the captive portal.

- BW
Please rate posts if they have been helpful.