AnyConnect Captive Portal

Solved
Scotsdave
Just browsing

AnyConnect Captive Portal

Hi guys I hope you can help, I've been spending weeks looking at this and pulling my hair out it seems to be fairly common issue with nobody really saying what they did to fix it.

 

The issue I'm having is with clients that are inside the network behind the MX hosting the Anyconnect VPN Server. They are getting a warning about being behind a captive portal.

I have disabled captive portal detection and disabled it being user configurable.

<DisableCaptivePortalDetection UserControllable="true">true</DisableCaptivePortalDetection>

using the VPN profile editor tool and configured trusted network with DNS suffix and DNS servers or either (multiple profiles to test effect).

I can see in the DART logs the following:-

VPN STATE : Disconnected

Network State: Web Authentication Required

Network control state: Network Access: Available

Network Type: Trusted.

 

I'm pushing the Anyconnect client with Intune, using a powershell script to install the MSI's and copy the Profile.xml   to C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile.

This is only installed on Windows 11 machines and we are using the 5.1.0.136 Anyconnect client.

 

After Installation I can see that the option to toggle captive portal detection is still user configurable and is not ticked. If I tick it manually it disables and shows the Trusted Network symbol in the GUI.

 

So it seems I am missing an XML configuration or registry setting somewhere.

I have edited the following XML files that have the captive portal option.

C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile\Profile.xml

C:\ProgramData\Cisco\Cisco Secure Client\VPN\preferences_global.xml

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\preferences.xml

C:\Users\%username%\AppData\Local\Cisco\Cisco Secure Client\VPN\preferences.xml

 

If I set the files to disable captive portal true then the tick box does change in the GUI but the client doesn't do it.

 

Meraki support so far have been unable to help and have directed me to Cisco for support but not sure how I go about doing that when all my licensing is with Meraki for support. 

 

Thanks for your help.

 

David

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

I know you've already tried, but change these two files and reboot the machine and see if the problem still happens.

 

C:\Users\My_user\AppData\Local\Cisco\Cisco Secure Client\preferences.xml

C:\ProgramData\Cisco\Cisco Secure Client\VPN\preferences_global.xml

 

If it still doesn't work, I think you'll have to configure it machine by machine.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal

Hi,

 

The correct Path is.
 
C:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile\Profile.xml

 

The DisableCaptivePortalDetection tag should be set to true.. You’ve mentioned that you’ve done this, but it might be worth double-checking.

 

Check the registry settings on the client machines. There might be a setting that’s overriding the XML configuration.

 

Maybe it will help you.

 

Use AnyConnect Captive Portal Detection and Remediation - Cisco

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scotsdave
Just browsing

Thanks for the reply.

 

The path you have posted is where I have been pushing the XML to.

 

This is happening on clean machine with nothing else installed except the VPN client. So I can't see anything in the registry affecting it. Unless there are registry settings for the Anyconnect Client.

alemabrahao
Kind of a big deal
Kind of a big deal

Did you see the link I sent? There is some useful information there. This is not a problem in MX, but something in your XML configuration.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scotsdave
Just browsing

Hi, Yes I've read the page I've looked at it several times before posting. 

 

I generated the XML file using the Cisco VPN Profile tool. So I have not free hand edited the document.

 

It discusses the Certificate being wrong in the ASA and to check it. The Certificate in the MX is generated by the Meraki dashboard for the DDNS name assigned so I can't check or edit that.

 

The behaviour is only happening on the network that hosts the VPN. I can avoid the behaviour if I can get the xml to disable the captive portal detection as ticking the boxes manually works.

 

The VPN profile tool is also a checkbox exercise to generate the xml so its pretty fool proof. I have found many other people with the same issue which seems to be fixed by pushing the profile from the MX but I'd rather it worked from Day 1 before connecting.

 

Which part do you think i've missed?

alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried disabling it in the VPN preferences instead of the VPN profile tool?

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Troubleshoo...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scotsdave
Just browsing

Yes as a troubleshooting task I disabled it. When doing it from the VPN Preferences it works and detects trusted network fine. 

 

But I need to automate it as I'm pushing this out to 200 devices.

alemabrahao
Kind of a big deal
Kind of a big deal

So disable it like this and copy the XML file to the other machines that should work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scotsdave
Just browsing

It doesn't change the Profile xml when changed this way. It does change the Globalpreferences.xml and the Preferences.xml

 

Changing these xmls manually outside the VPN Client gui ticks the box to disable but doesn't actually take effect. So it looks like its disabled but the client still complains about a captive portal.

alemabrahao
Kind of a big deal
Kind of a big deal

It worked for me by editing this file.

 

C:\ProgramData\Cisco\Cisco Secure Client\VPN\preferences_global.xml

 

Otherwise, contact Cisco.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scotsdave
Just browsing

I edited this file as per my original post. It does enable the tick in the client. but it doesn't actually work. Thanks for your help though.

alemabrahao
Kind of a big deal
Kind of a big deal

I know you've already tried, but change these two files and reboot the machine and see if the problem still happens.

 

C:\Users\My_user\AppData\Local\Cisco\Cisco Secure Client\preferences.xml

C:\ProgramData\Cisco\Cisco Secure Client\VPN\preferences_global.xml

 

If it still doesn't work, I think you'll have to configure it machine by machine.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Scotsdave
Just browsing

~Thanks for taking the time to look at it. I'll try sending those files with the package and see what happens on my test machine.

Scotsdave
Just browsing

@alemabrahao thanks for helping with this.

 

I have got it working. Reboot seems to be key to this once the xml files have been deployed unless its a fresh install.

 

Copy preferences.xml and preferences_global.xml from a new machine after you have disabled captive portal detection.

 

Do not connect to the vpn on your new machine or it will store your credentials as the defaults via the xml files.

 

Your xml files should have the following line in them

<DisableCaptivePortalDetection>true</DisableCaptivePortalDetection>

 

I'm using the following script to deploy the software via intune incase it helps anyone in the future. Detection method is the MSI product code.

 

#Starts installation of components and waits for completion

Start-Process msiexec.exe -ArgumentList "/i core.msi /qn /norestart" -Wait

Start-Process msiexec.exe -ArgumentList "/i sbl.msi /qn /norestart" -Wait

#Copies VPN Profile to local machine
Copy-Item .\Profile.xml -Destination "c:\ProgramData\Cisco\Cisco Secure Client\VPN\Profile" -force

Copy-Item .\preferences_global.xml -Destination "c:\ProgramData\Cisco\Cisco Secure Client\VPN" -force

#delete preferences file for vpn for local user profiles
$paths = Get-ChildItem -Directory c:\users | Select-Object $_.Name

ForEach ($path in $paths){
    If (test-path "c:\users\$path\AppData\Local\Cisco\Cisco Secure Client\VPN\Preferences.xml")
    {
        Remove-Item -Path "c:\users\$path\AppData\Local\Cisco\Cisco Secure Client\VPN\Preferences.xml" -Force
	Copy-Item .\preferences.xml -Destination "c:\users\$path\AppData\Local\Cisco\Cisco Secure Client\VPN\" -force
    }
}
TEAM-ind
Getting noticed

Shouldn't this just work with the settings in the profile?

 

TEAMind_0-1731599420115.png

 

I know that it doesn't as I am going through the same thing right now.  Very frustrating that the preferences are not being taken from the profile.xml 

 

Anyone have a solution that makes the settings apply as they should from a profile as documented here:

 

AnyConnect Client Download and Deployment - Cisco Meraki Documentation

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels