IOS SSL WebVPN anyconnect 2.5.1025 - Start Before Logon

Unanswered Question
Sep 3rd, 2010

I have a 1841 router setup with SSL vpn using the anyconnect client.  Before upgrading to anyconnect 2.5 I had 2.3 installed and the start before logon feature worked for XP hosts but not for Windows 7.  So I upgraded.  Now when trying to do start before logon I get "Network Access: Blocked - Web Authentication Required".  From what I have read this is for captive portal detection.  The internet connection I am testing on does not have a captive portal.  I have looked through the anyconnect 2.5 configuration guide, the release notes and the IOS 15.1 guides and can't find anything.  Any help would be appreciated.

Show Ver:

Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(2)T1, RELEASE SOFTWARE (fc1)

Cisco 1841 (revision 7.0) with 293888K/99328K bytes of memory.
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125952K bytes of ATA CompactFlash (Read/Write)

User Auth is being done via SecureACS and it is also assigning an ACL to the session that is configured on the router.

Cisco av-pair:

webvpn:user-vpn-group=POLICY1
webvpn:addr=XX.XX.XX.XX
webvpn:inacl=ACLPOLICY1

Attached are my Config, XML Profile and WebVPN Debug.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Gervia Fri, 09/03/2010 - 12:15

I would check your other profile (profile2.xml) as it doesn't look like you have TND enabled on that profile - so it may be enabled on the profile.  Also, there is an anyconnect event log in event viewer that should tell you what profile it's reading and what the anyconnect client is doing when it is trying to connect.

kkasselman Fri, 09/03/2010 - 14:18

Profile1 is the profile being used.  Profile2 is the exact same with out the start before login option.  Since I have TND disabled I shouldn't have to add anymore config right?

I checked the Anyconnect log and here is what stands out.  I see in the event where it bypasses start before login "apilpc::processTerminate"

Then the next event is "HTTPS probe to "mygatewayIP" resulted in a redirect"

Jason Gervia Wed, 09/08/2010 - 15:32

If AC is detecting a redirect, it's likely you have antivirus (or some other software) doing some inspection of SSL traffic - try disabling the inspection (or the software entirely) and AC 2.5 might work.

--Jason

bobclark75 Sat, 11/20/2010 - 06:30

Check out the bug report. CSCtb73337

The problem is that the client is is unable to verify the certificate that is being used.  If it is selfsigned or from certificate authority that isn't trusted by the client computer AnyConnect 2.5 sees it as an invalid response to the attempt to verify connectivity.  Instead of reporting an SSL problem it simply says that web authentication (because of a captive portal) is required.  It isn't exactly a bug as much as a feature.  However, the wording could be better in the message.

Actions

This Discussion