Network Access Manager cannot detect captive portal through proxy

Kalipso · ‎02-20-2023

Hello,

I'm looking for a way to have Anyconnect (NAM) detects classical hotspot captive portals from a corporate endpoint that has Proxy settings pushed by GPO.

So basically users go remote, and sometimes they are located in airports or in hotels, where connectivity is available through Guest access. This means that the users need to provide information and agree to use policy before being granted access to Internet and be able to mount corporate VPN.

However, since the browser is configured to use corporate proxy, no captive portal is reachable.

I've tried many combinations of NAM profile / Anyconnect client profile, and played with "no proxy feature", "enable captive portal detection" options, with no success so far. We are NOT using always on feature.

I've also tried to have the internal anyconnect browser, but was never able to trigger it.

I've been using Anyconnect 4.10.

Does somebody managed to make this work ?

Rodrigo Diaz · ‎02-21-2023

hello @Kalipso , I would verify firstly if you are meeting the requirements for the captive portal detection with NAM https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_nam.html#Cisco_Reference.dita_cf35bb96-adec-4879-9939-58efd9429a4a , the following bug has been filled also in relationship with NAM and captive portals CSCvo07690 so I would verify that the version of NAM is the one listed as fixed that is 4.10.6079 , lastly I would test out the configurations you're doing without GPO just to check that the setup NAM-captive portal works.

Let me know if that helped .

Kalipso · ‎02-22-2023

Hello @Rodrigo Diaz,

It appears that when I enable captive portal detection on NAM profile:

when using wired, I've got a message "limited or no connectivity"
when using wireless with captive portal, I can't connect, and I've got no browser prompted

When I do NOT enable captive portal detection on NAM profile:

when using wireless, I've got my default web browser poping up with a Web Page in error since I don't have access to proxy
when I repeat the test and disabling the proxy, the web page is still in error with "access denied"

I don't understand all the requirements :

"Within the configurable End-User Controls for Network Access Manager, captive portal remediation will not be an option." : this is a feature in client profile, not NAM profile, it isn't configured in any of my client profiles. Where am I supposed to check this ?
I'm using Windows 10
"NAM disables the Windows Network Location Awareness Service and its captive portal detection. Thw Windows service is restored only if Network Access Manager is set to disabled or uninstalled. " : is this a problem ? sounds like a behavior actually not a requirement...
"NAM probes for a connection every 10 seconds [...] It does not monitor when a user logs out." also sounds like a behavior

Can you clarify what files or profiles I need to configure to make this work ? all the documentation on the subject is very confusing to me.

I'm using latest anyconnect version 4.10.0690.

Kalipso · ‎04-17-2023

Ok, so here are some of the points that blocked me. (I didn't even have the browser prompting)

- DNS should be able to resolve : www.msftconnecttest.com/connecttest.txt, and ipv6.msftconnecttest.com/connecttest.txt

- browser must be able to reach the above URLS, meaning :

check proxy exceptions, so the URL is reachable even if proxy is not (corporate onsite proxy not available while the VPN connection is not up)
check local firewall rules : in my case it was blocking outgoing connections from Edge and Anyconnect applications

Having that resolved, and the option "enable captive portal detection" in NAM profil, I've now Anyconnect responding way faster when connecting to a GUEST WIFI. It display the message "Action needed, no internet. Open browser and connect". And the default browser opens on the guest portal.

However, I still have issue because the browser is still trying to reach the captive portal through the unreachable proxy. And I can't add all the captive portal as proxy exception as the list would be huge and complex to maintain. I'm still looking for a solution to bypass the proxy during this phase connection.