Hotspot Connect with Anyconnect

robert.melzer · ‎11-17-2025

Hello everyone,
I am using AnyConnect Secure Client version 5.0.00529. Client authentication with the ASA is performed using a machine certificate. The entire process works perfectly. Now I want the Windows client to be able to log on to a hotspot first and then establish the VPN connection. Captive Portal Detection is enabled in the profile under Preferences Part 1. Always ON is active in Preferences Part 2, and Allow Captive Portal Remediation is also active with a time span of 5 minutes. With these settings, the hotspot page is not displayed. Only when I deactivate Always ON. However, the client is then open until the VPN is established and can be compromised. Maybe someone has a tip on how to get it to work with Always ON. Thank you very much.

Mark Elsen · ‎11-17-2025

- @robert.melzer FYI :https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118086-technote-anyconnect-00.html

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Ben Weber · ‎11-17-2025

Hi @robert.melzer

AFAIK, Captive Portal Detection is only going to work when the VPN is not enforced. Captive Portal Remediation can be allowed in the AnyConnect XML profile, but will require ConnectFailurePolicy to be set to open. This allows for traffic to egress from the device without the VPN being enabled.

Secure Client is instructed to establish the VPN immediately after a network is detected (this is what happens when the 'Always-On' feature is enabled). This will block the captive portal depending on your settings.

Depending on where your users are located, you could use Trusted Network Detection to bypass the VPN and allow the captive portal to work. Alternatively, you should set ConnectFailurePolicy = open, which will allow users to connect to the captive portal.

- BW
Please rate posts if they have been helpful.