09-03-2010 10:04 AM - edited 02-21-2020 04:49 PM
I have a 1841 router setup with SSL vpn using the anyconnect client. Before upgrading to anyconnect 2.5 I had 2.3 installed and the start before logon feature worked for XP hosts but not for Windows 7. So I upgraded. Now when trying to do start before logon I get "Network Access: Blocked - Web Authentication Required". From what I have read this is for captive portal detection. The internet connection I am testing on does not have a captive portal. I have looked through the anyconnect 2.5 configuration guide, the release notes and the IOS 15.1 guides and can't find anything. Any help would be appreciated.
Show Ver:
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 15.1(2)T1, RELEASE SOFTWARE (fc1)
Cisco 1841 (revision 7.0) with 293888K/99328K bytes of memory.
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125952K bytes of ATA CompactFlash (Read/Write)
User Auth is being done via SecureACS and it is also assigning an ACL to the session that is configured on the router.
Cisco av-pair:
webvpn:user-vpn-group=POLICY1
webvpn:addr=XX.XX.XX.XX
webvpn:inacl=ACLPOLICY1
Attached are my Config, XML Profile and WebVPN Debug.
09-03-2010 12:15 PM
I would check your other profile (profile2.xml) as it doesn't look like you have TND enabled on that profile - so it may be enabled on the profile. Also, there is an anyconnect event log in event viewer that should tell you what profile it's reading and what the anyconnect client is doing when it is trying to connect.
09-03-2010 02:18 PM
Profile1 is the profile being used. Profile2 is the exact same with out the start before login option. Since I have TND disabled I shouldn't have to add anymore config right?
I checked the Anyconnect log and here is what stands out. I see in the event where it bypasses start before login "apilpc::processTerminate"
Then the next event is "HTTPS probe to "mygatewayIP" resulted in a redirect"
09-08-2010 06:38 AM
Downgraded to anyconnect 2.4 and everything is working.
09-08-2010 03:32 PM
If AC is detecting a redirect, it's likely you have antivirus (or some other software) doing some inspection of SSL traffic - try disabling the inspection (or the software entirely) and AC 2.5 might work.
--Jason
11-20-2010 06:30 AM
Check out the bug report. CSCtb73337
The problem is that the client is is unable to verify the certificate that is being used. If it is selfsigned or from certificate authority that isn't trusted by the client computer AnyConnect 2.5 sees it as an invalid response to the attempt to verify connectivity. Instead of reporting an SSL problem it simply says that web authentication (because of a captive portal) is required. It isn't exactly a bug as much as a feature. However, the wording could be better in the message.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide