02-20-2023 01:11 AM
Hello,
I'm looking for a way to have Anyconnect (NAM) detects classical hotspot captive portals from a corporate endpoint that has Proxy settings pushed by GPO.
So basically users go remote, and sometimes they are located in airports or in hotels, where connectivity is available through Guest access. This means that the users need to provide information and agree to use policy before being granted access to Internet and be able to mount corporate VPN.
However, since the browser is configured to use corporate proxy, no captive portal is reachable.
I've tried many combinations of NAM profile / Anyconnect client profile, and played with "no proxy feature", "enable captive portal detection" options, with no success so far. We are NOT using always on feature.
I've also tried to have the internal anyconnect browser, but was never able to trigger it.
I've been using Anyconnect 4.10.
Does somebody managed to make this work ?
02-21-2023 08:29 AM
hello @Kalipso , I would verify firstly if you are meeting the requirements for the captive portal detection with NAM https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_nam.html#Cisco_Reference.dita_cf35bb96-adec-4879-9939-58efd9429a4a , the following bug has been filled also in relationship with NAM and captive portals CSCvo07690 so I would verify that the version of NAM is the one listed as fixed that is 4.10.6079 , lastly I would test out the configurations you're doing without GPO just to check that the setup NAM-captive portal works.
Let me know if that helped .
02-22-2023 08:21 AM
Hello @Rodrigo Diaz,
It appears that when I enable captive portal detection on NAM profile:
When I do NOT enable captive portal detection on NAM profile:
I don't understand all the requirements :
"Within the configurable End-User Controls for Network Access Manager, captive portal remediation will not be an option." : this is a feature in client profile, not NAM profile, it isn't configured in any of my client profiles. Where am I supposed to check this ?
I'm using Windows 10
"NAM disables the Windows Network Location Awareness Service and its captive portal detection. Thw Windows service is restored only if Network Access Manager is set to disabled or uninstalled. " : is this a problem ? sounds like a behavior actually not a requirement...
Can you clarify what files or profiles I need to configure to make this work ? all the documentation on the subject is very confusing to me.
I'm using latest anyconnect version 4.10.0690.
04-17-2023 12:47 AM
Ok, so here are some of the points that blocked me. (I didn't even have the browser prompting)
- DNS should be able to resolve : www.msftconnecttest.com/connecttest.txt, and ipv6.msftconnecttest.com/connecttest.txt
- browser must be able to reach the above URLS, meaning :
Having that resolved, and the option "enable captive portal detection" in NAM profil, I've now Anyconnect responding way faster when connecting to a GUEST WIFI. It display the message "Action needed, no internet. Open browser and connect". And the default browser opens on the guest portal.
However, I still have issue because the browser is still trying to reach the captive portal through the unreachable proxy. And I can't add all the captive portal as proxy exception as the list would be huge and complex to maintain. I'm still looking for a solution to bypass the proxy during this phase connection.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide